security_selinux.c: Relabel existing mode="bind" UNIX sockets

author David Michael <david@bigbadwolfsecurity.com>

Tue, 28 Jun 2022 12:33:41 +0000 (08:33 -0400)

committer Michal Privoznik <mprivozn@redhat.com>

Fri, 1 Jul 2022 12:51:19 +0000 (14:51 +0200)
author David Michael <david@bigbadwolfsecurity.com>
Tue, 28 Jun 2022 12:33:41 +0000 (08:33 -0400)
committer Michal Privoznik <mprivozn@redhat.com>
Fri, 1 Jul 2022 12:51:19 +0000 (14:51 +0200)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c

index e2f34a27dcdc35b2acbad460df6b0c96dd2018a2..9f2872decc74407d36139f94cbc110fc747401dd 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2541,7 +2541,12 @@ virSecuritySELinuxSetChardevLabel(virSecurityManager *mgr,
          break;
  
      case VIR_DOMAIN_CHR_TYPE_UNIX:
-        if (!dev_source->data.nix.listen) {
+        if (!dev_source->data.nix.listen ||
+            (dev_source->data.nix.path &&
+             virFileExists(dev_source->data.nix.path))) {
+            /* Also label mode='bind' sockets if they exist,
+             * e.g. because they were created by libvirt
+             * and passed via FD */
              if (virSecuritySELinuxSetFilecon(mgr,
                                               dev_source->data.nix.path,
                                               imagelabel,
@@ -2618,7 +2623,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManager *mgr,
      case VIR_DOMAIN_CHR_TYPE_UNIX:
          if (!dev_source->data.nix.listen) {
              if (virSecuritySELinuxRestoreFileLabel(mgr,
-                                                   dev_source->data.file.path,
+                                                   dev_source->data.nix.path,
                                                     true) < 0)
                  goto done;
          }
diff --git a/tests/securityselinuxlabeldata/chardev.txt b/tests/securityselinuxlabeldata/chardev.txt

index 3f4b6302b95a3091408f342472b9efbef27f23ba..bdb367f7a59be05265417b9f779af154a8ae8d3f 100644 (file)
--- a/tests/securityselinuxlabeldata/chardev.txt
+++ b/tests/securityselinuxlabeldata/chardev.txt
@@ -2,6 +2,6 @@
  /plain.dev;system_u:object_r:svirt_image_t:s0:c41,c264
  /plain.fifo;system_u:object_r:svirt_image_t:s0:c41,c264
  /nolabel.sock;
-/plain.sock;
+/plain.sock;system_u:object_r:svirt_image_t:s0:c41,c264
  /yeslabel.sock;system_u:object_r:svirt_image_t:s0:c41,c264
  /altlabel.sock;system_u:object_r:svirt_image_custom_t:s0:c41,c264
author	David Michael <david@bigbadwolfsecurity.com>
	Tue, 28 Jun 2022 12:33:41 +0000 (08:33 -0400)
committer	Michal Privoznik <mprivozn@redhat.com>
	Fri, 1 Jul 2022 12:51:19 +0000 (14:51 +0200)
src/security/security_selinux.c		patch \| blob \| blame \| history
tests/securityselinuxlabeldata/chardev.txt		patch \| blob \| blame \| history