security: Allow RW access to pstore device

The whole point of pstore device is that the guest writes crash
dumps into it. But the way SELinux label is set on the
corresponding file warrants RO access only. This is due to a
copy-paste from code around: kernel/initrd/DTB/SLIC - these are
RO indeed, but pstore MUST be writable too. In a sense it's
closer to NVRAM/disks - hence set imagelabel on it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ba0ce8fb9d182e25639b01449ca88e896f431928..31df4d22db268f7dfc6c31ac9170dfd9a5f35554 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3341,7 +3341,7 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
 
     if (def->pstore &&
         virSecuritySELinuxSetFilecon(mgr, def->pstore->path,
-                                     data->content_context, true) < 0)
+                                     secdef->imagelabel, true) < 0)
         return -1;
 
     return 0;