From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 30 Jul 2024 15:36:40 +0000 (+0200)
Subject: security: Allow RW access to pstore device
X-Git-Tag: v10.6.0~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ac0b669c562574b3b5c94ce6f922819bb0a21bf1;p=thirdparty%2Flibvirt.git

security: Allow RW access to pstore device

The whole point of pstore device is that the guest writes crash
dumps into it. But the way SELinux label is set on the
corresponding file warrants RO access only. This is due to a
copy-paste from code around: kernel/initrd/DTB/SLIC - these are
RO indeed, but pstore MUST be writable too. In a sense it's
closer to NVRAM/disks - hence set imagelabel on it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
---

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ba0ce8fb9d..31df4d22db 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3341,7 +3341,7 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
 
     if (def->pstore &&
         virSecuritySELinuxSetFilecon(mgr, def->pstore->path,
-                                     data->content_context, true) < 0)
+                                     secdef->imagelabel, true) < 0)
         return -1;
 
     return 0;