From bac831a6f6cba82adec7419dfdd1124a241a3c3e Mon Sep 17 00:00:00 2001 Message-Id: From: Cole Robinson Date: Thu, 25 Sep 2014 11:21:46 -0400 Subject: [PATCH] security: Fix labelling host devices https://bugzilla.redhat.com/show_bug.cgi?id=1146550 The check for ISCSI devices was missing a check of subsys type, which meant we could skip labelling of other host devices as well. This fixes USB hotplug. (cherry picked from commit d3489548b52083d7b4ff757e727a7a9471e1fe4f) Signed-off-by: John Ferlan Signed-off-by: Jiri Denemark --- src/security/security_apparmor.c | 3 ++- src/security/security_dac.c | 6 ++++-- src/security/security_selinux.c | 6 ++++-- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 041ce65..3025284 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -828,7 +828,8 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, /* Like AppArmorRestoreSecurityImageLabel() for a networked disk, * do nothing for an iSCSI hostdev */ - if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) + if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI && + scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) return 0; if (profile_loaded(secdef->imagelabel) < 0) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index e398d2c..85253af 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -523,7 +523,8 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr, /* Like virSecurityDACSetSecurityImageLabel() for a networked disk, * do nothing for an iSCSI hostdev */ - if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) + if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI && + scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) return 0; cbdata.manager = mgr; @@ -657,7 +658,8 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, /* Like virSecurityDACRestoreSecurityImageLabelInt() for a networked disk, * do nothing for an iSCSI hostdev */ - if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) + if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI && + scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) return 0; switch ((virDomainHostdevSubsysType) dev->source.subsys.type) { diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 1c9150b..85ad073 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1327,7 +1327,8 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def, /* Like virSecuritySELinuxSetSecurityImageLabelInternal() for a networked * disk, do nothing for an iSCSI hostdev */ - if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) + if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI && + scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) return 0; switch (dev->source.subsys.type) { @@ -1520,7 +1521,8 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr, /* Like virSecuritySELinuxRestoreSecurityImageLabelInt() for a networked * disk, do nothing for an iSCSI hostdev */ - if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) + if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI && + scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) return 0; switch (dev->source.subsys.type) { -- 2.1.1