From bac831a6f6cba82adec7419dfdd1124a241a3c3e Mon Sep 17 00:00:00 2001
Message-Id: <bac831a6f6cba82adec7419dfdd1124a241a3c3e@dist-git>
From: Cole Robinson <crobinso@redhat.com>
Date: Thu, 25 Sep 2014 11:21:46 -0400
Subject: [PATCH] security: Fix labelling host devices

https://bugzilla.redhat.com/show_bug.cgi?id=1146550

The check for ISCSI devices was missing a check of subsys type, which
meant we could skip labelling of other host devices as well. This fixes
USB hotplug.

(cherry picked from commit d3489548b52083d7b4ff757e727a7a9471e1fe4f)
Signed-off-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
 src/security/security_apparmor.c | 3 ++-
 src/security/security_dac.c      | 6 ++++--
 src/security/security_selinux.c  | 6 ++++--
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 041ce65..3025284 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -828,7 +828,8 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
     /* Like AppArmorRestoreSecurityImageLabel() for a networked disk,
      * do nothing for an iSCSI hostdev
      */
-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
         return 0;
 
     if (profile_loaded(secdef->imagelabel) < 0)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index e398d2c..85253af 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -523,7 +523,8 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
     /* Like virSecurityDACSetSecurityImageLabel() for a networked disk,
      * do nothing for an iSCSI hostdev
      */
-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
         return 0;
 
     cbdata.manager = mgr;
@@ -657,7 +658,8 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
     /* Like virSecurityDACRestoreSecurityImageLabelInt() for a networked disk,
      * do nothing for an iSCSI hostdev
      */
-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
         return 0;
 
     switch ((virDomainHostdevSubsysType) dev->source.subsys.type) {
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 1c9150b..85ad073 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1327,7 +1327,8 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
     /* Like virSecuritySELinuxSetSecurityImageLabelInternal() for a networked
      * disk, do nothing for an iSCSI hostdev
      */
-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
         return 0;
 
     switch (dev->source.subsys.type) {
@@ -1520,7 +1521,8 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
     /* Like virSecuritySELinuxRestoreSecurityImageLabelInt() for a networked
      * disk, do nothing for an iSCSI hostdev
      */
-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
         return 0;
 
     switch (dev->source.subsys.type) {
-- 
2.1.1