selinux: Use raw contexts

We are currently able to work only with non-translated SELinux
contexts, but we are using functions that work with translated
contexts throughout the code.  This patch swaps all SELinux context
translation relative calls with their raw sisters to avoid parsing
problems.

The problems can be experienced with mcstrans for example.  The
difference is that if you have translations enabled (yum install
mcstrans; service mcstrans start), fgetfilecon_raw() will get you
something like 'system_u:object_r:virt_image_t:s0', whereas
fgetfilecon() will return 'system_u:object_r:virt_image_t:SystemLow'
that we cannot parse.

I was trying to confirm that the _raw variants were here since the dawn of
time, but the only thing I see now is that it was imported together in
the upstream repo [1] from svn, so before 2008.

Thanks Laurent Bigonville for finding this out.

[1] http://oss.tresys.com/git/selinux.git
(cherry picked from commit 9674f2c637114fa6ac0680fe5658a41a62bb34a8)

diff --git a/configure.ac b/configure.ac
index 13ccd97dc35bd52a2d217b8ff53e5d1c6d809336..2293fbc12aed729d2e682e3770acdf2f47cb6cbb 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1438,14 +1438,14 @@ if test "$with_selinux" != "no"; then
   old_libs="$LIBS"
   if test "$with_selinux" = "check"; then
     AC_CHECK_HEADER([selinux/selinux.h],[],[with_selinux=no])
-    AC_CHECK_LIB([selinux], [fgetfilecon],[],[with_selinux=no])
+    AC_CHECK_LIB([selinux], [fgetfilecon_raw],[],[with_selinux=no])
     if test "$with_selinux" != "no"; then
       with_selinux="yes"
     fi
   else
     fail=0
     AC_CHECK_HEADER([selinux/selinux.h],[],[fail=1])
-    AC_CHECK_LIB([selinux], [fgetfilecon],[],[fail=1])
+    AC_CHECK_LIB([selinux], [fgetfilecon_raw],[],[fail=1])
     test $fail = 1 &&
       AC_MSG_ERROR([You must install the libselinux development package in order to compile libvirt with basic SELinux support])
   fi

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 883a82bf88fd6b4dfaf1069bc81b86ec020e2f1d..b13c8a15f5e8077a4ca77fdd2b8463f870d5a9b8 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -111,7 +111,7 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr)
     char *sens, *cat, *tmp;
     int catMin, catMax, catRange;
 
-    if (getcon(&ourSecContext) < 0) {
+    if (getcon_raw(&ourSecContext) < 0) {
         virReportSystemError(errno, "%s",
                              _("Unable to get current process SELinux context"));
         goto cleanup;
@@ -252,7 +252,7 @@ virSecuritySELinuxGenNewContext(const char *basecontext,
     VIR_DEBUG("basecontext=%s mcs=%s isObjectContext=%d",
               basecontext, mcs, isObjectContext);
 
-    if (getcon(&ourSecContext) < 0) {
+    if (getcon_raw(&ourSecContext) < 0) {
         virReportSystemError(errno, "%s",
                              _("Unable to get current process SELinux context"));
         goto cleanup;
@@ -612,7 +612,7 @@ virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr,
     if (seclabel->type == VIR_DOMAIN_SECLABEL_STATIC)
         return 0;
 
-    if (getpidcon(pid, &pctx) == -1) {
+    if (getpidcon_raw(pid, &pctx) == -1) {
         virReportSystemError(errno,
                              _("unable to get PID %d security context"), pid);
         return -1;
@@ -713,7 +713,7 @@ virSecuritySELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
 {
     security_context_t ctx;
 
-    if (getpidcon(pid, &ctx) == -1) {
+    if (getpidcon_raw(pid, &ctx) == -1) {
         virReportSystemError(errno,
                              _("unable to get PID %d security context"),
                              pid);
@@ -753,10 +753,10 @@ virSecuritySELinuxSetFileconHelper(const char *path, char *tcon, bool optional)
 
     VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
 
-    if (setfilecon(path, tcon) < 0) {
+    if (setfilecon_raw(path, tcon) < 0) {
         int setfilecon_errno = errno;
 
-        if (getfilecon(path, &econ) >= 0) {
+        if (getfilecon_raw(path, &econ) >= 0) {
             if (STREQ(tcon, econ)) {
                 freecon(econ);
                 /* It's alright, there's nothing to change anyway. */
@@ -818,10 +818,10 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon)
 
     VIR_INFO("Setting SELinux context on fd %d to '%s'", fd, tcon);
 
-    if (fsetfilecon(fd, tcon) < 0) {
+    if (fsetfilecon_raw(fd, tcon) < 0) {
         int fsetfilecon_errno = errno;
 
-        if (fgetfilecon(fd, &econ) >= 0) {
+        if (fgetfilecon_raw(fd, &econ) >= 0) {
             if (STREQ(tcon, econ)) {
                 freecon(econ);
                 /* It's alright, there's nothing to change anyway. */
@@ -1569,7 +1569,7 @@ virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
             return -1;
     }
 
-    if (setexeccon(secdef->label) == -1) {
+    if (setexeccon_raw(secdef->label) == -1) {
         virReportSystemError(errno,
                              _("unable to set security context '%s'"),
                              secdef->label);
@@ -1614,7 +1614,7 @@ virSecuritySELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
         goto done;
     }
 
-    if (getcon(&scon) == -1) {
+    if (getcon_raw(&scon) == -1) {
         virReportSystemError(errno,
                              _("unable to get current process context '%s'"),
                              secdef->label);
@@ -1637,7 +1637,7 @@ virSecuritySELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
 
     VIR_DEBUG("Setting VM %s socket context %s",
               def->name, context_str(proccon));
-    if (setsockcreatecon(context_str(proccon)) == -1) {
+    if (setsockcreatecon_raw(context_str(proccon)) == -1) {
         virReportSystemError(errno,
                              _("unable to set socket security context '%s'"),
                              context_str(proccon));
@@ -1680,7 +1680,7 @@ virSecuritySELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
 
     VIR_DEBUG("Setting VM %s socket context %s",
               vm->name, secdef->label);
-    if (setsockcreatecon(secdef->label) == -1) {
+    if (setsockcreatecon_raw(secdef->label) == -1) {
         virReportSystemError(errno,
                              _("unable to set socket security context '%s'"),
                              secdef->label);
@@ -1720,7 +1720,7 @@ virSecuritySELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
             return -1;
     }
 
-    if (setsockcreatecon(NULL) == -1) {
+    if (setsockcreatecon_raw(NULL) == -1) {
         virReportSystemError(errno,
                              _("unable to clear socket security context '%s'"),
                              secdef->label);

diff --git a/src/storage/storage_backend.c b/src/storage/storage_backend.c
index 1d322324257e73620b12cdc932b612395b84ee08..a32942fb37d09fd77ecb905337f53d154f01d929 100644 (file)
--- a/src/storage/storage_backend.c
+++ b/src/storage/storage_backend.c
@@ -1227,7 +1227,7 @@ virStorageBackendUpdateVolTargetInfoFD(virStorageVolTargetPtr target,
 
 #if HAVE_SELINUX
     /* XXX: make this a security driver call */
-    if (fgetfilecon(fd, &filecon) == -1) {
+    if (fgetfilecon_raw(fd, &filecon) == -1) {
         if (errno != ENODATA && errno != ENOTSUP) {
             virReportSystemError(errno,
                                  _("cannot get file context of '%s'"),

diff --git a/tests/securityselinuxhelper.c b/tests/securityselinuxhelper.c
index 43676defe49fc8079704940e266c91998808ad17..dc63ff3d3a561b0423a7a06bd021ebb6fe85d8a1 100644 (file)
--- a/tests/securityselinuxhelper.c
+++ b/tests/securityselinuxhelper.c
@@ -31,7 +31,7 @@
  * the process context, where as in fact we're faking it all
  */
 
-int getcon(security_context_t *context)
+int getcon_raw(security_context_t *context)
 {
     if (getenv("FAKE_CONTEXT") == NULL) {
         *context = NULL;
@@ -43,7 +43,7 @@ int getcon(security_context_t *context)
     return 0;
 }
 
-int getpidcon(pid_t pid, security_context_t *context)
+int getpidcon_raw(pid_t pid, security_context_t *context)
 {
     if (pid != getpid()) {
         *context = NULL;
@@ -60,7 +60,7 @@ int getpidcon(pid_t pid, security_context_t *context)
     return 0;
 }
 
-int setcon(security_context_t context)
+int setcon_raw(security_context_t context)
 {
     return setenv("FAKE_CONTEXT", context, 1);
 }

diff --git a/tests/securityselinuxtest.c b/tests/securityselinuxtest.c
index 848a39044cd7ab1031f7f94647c250eb97ab5b84..8bcf3a1ce84bac41f334fbefad2bd4986b487e57 100644 (file)
--- a/tests/securityselinuxtest.c
+++ b/tests/securityselinuxtest.c
@@ -217,7 +217,7 @@ testSELinuxGenLabel(const void *opaque)
     context_t con = NULL;
     context_t imgcon = NULL;
 
-    if (setcon((security_context_t)data->pidcon) < 0) {
+    if (setcon_raw((security_context_t)data->pidcon) < 0) {
         perror("Cannot set process security context");
         return -1;
     }