security: Set seclabels on UEFI shim

Again, trivial. Just copy what is done for kernel and initrd.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index b4d61bc576c7fb2d78c52567a7745e831faee5f2..e07977300f5fce1a508f0dbc8c38f3537110f8ce 100644 (file)
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -2046,6 +2046,10 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
         virSecurityDACRestoreFileLabel(mgr, def->os.initrd) < 0)
         rc = -1;
 
+    if (def->os.shim &&
+        virSecurityDACRestoreFileLabel(mgr, def->os.shim) < 0)
+        rc = -1;
+
     if (def->os.dtb &&
         virSecurityDACRestoreFileLabel(mgr, def->os.dtb) < 0)
         rc = -1;
@@ -2295,6 +2299,12 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
                                    user, group, true) < 0)
         return -1;
 
+    if (def->os.shim &&
+        virSecurityDACSetOwnership(mgr, NULL,
+                                   def->os.shim,
+                                   user, group, true) < 0)
+        return -1;
+
     if (def->os.dtb &&
         virSecurityDACSetOwnership(mgr, NULL,
                                    def->os.dtb,

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index b8659e33d62ebbd6ed6894ffb5bfee2e7c77fec9..38e611f567825ed1cd289e515d6865dbd4e8dc56 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3009,6 +3009,10 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
         virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, true) < 0)
         rc = -1;
 
+    if (def->os.shim &&
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.shim, true) < 0)
+        rc = -1;
+
     if (def->os.dtb &&
         virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, true) < 0)
         rc = -1;
@@ -3439,6 +3443,11 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
                                      data->content_context, true) < 0)
         return -1;
 
+    if (def->os.shim &&
+        virSecuritySELinuxSetFilecon(mgr, def->os.shim,
+                                     data->content_context, true) < 0)
+        return -1;
+
     if (def->os.dtb &&
         virSecuritySELinuxSetFilecon(mgr, def->os.dtb,
                                      data->content_context, true) < 0)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index fad2c89304e6fabbee7e2fc26962babd9a9ac8be..034c0420073b89ea254e52ef324f28e416a5d2f7 100644 (file)
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -970,6 +970,10 @@ get_files(vahControl * ctl)
         if (vah_add_file(&buf, ctl->def->os.initrd, "r") != 0)
             goto cleanup;
 
+    if (ctl->def->os.shim)
+        if (vah_add_file(&buf, ctl->def->os.shim, "r") != 0)
+            goto cleanup;
+
     if (ctl->def->os.dtb)
         if (vah_add_file(&buf, ctl->def->os.dtb, "r") != 0)
             goto cleanup;