render / rpms / libvirt

Forked from rpms/libvirt 10 months ago
Clone
7a3408
From 3306e7bb963713b01f31a12b61f7166d8412126c Mon Sep 17 00:00:00 2001
7a3408
Message-Id: <3306e7bb963713b01f31a12b61f7166d8412126c@dist-git>
7a3408
From: Michal Privoznik <mprivozn@redhat.com>
7a3408
Date: Tue, 15 Sep 2015 11:51:24 +0200
7a3408
Subject: [PATCH] security_selinux: Take @privileged into account
7a3408
7a3408
https://bugzilla.redhat.com/show_bug.cgi?id=1124841
7a3408
7a3408
If running in session mode it may happen that we fail to set
7a3408
correct SELinux label, but the image may still be readable to
7a3408
the qemu process. Take this into account.
7a3408
7a3408
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
7a3408
(cherry picked from commit 00e5b967168bab252ea2bef977ad40b4155f08df)
7a3408
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
7a3408
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
7a3408
---
7a3408
 src/security/security_selinux.c | 126 +++++++++++++++++++++++++---------------
7a3408
 1 file changed, 78 insertions(+), 48 deletions(-)
7a3408
7a3408
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
7a3408
index c6da6b0..c2464c2 100644
7a3408
--- a/src/security/security_selinux.c
7a3408
+++ b/src/security/security_selinux.c
7a3408
@@ -886,7 +886,8 @@ virSecuritySELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
7a3408
  * return 1 if labelling was not possible.  Otherwise, require a label
7a3408
  * change, and return 0 for success, -1 for failure.  */
7a3408
 static int
7a3408
-virSecuritySELinuxSetFileconHelper(const char *path, char *tcon, bool optional)
7a3408
+virSecuritySELinuxSetFileconHelper(const char *path, char *tcon,
7a3408
+                                   bool optional, bool privileged)
7a3408
 {
7a3408
     security_context_t econ;
7a3408
 
7a3408
@@ -915,7 +916,10 @@ virSecuritySELinuxSetFileconHelper(const char *path, char *tcon, bool optional)
7a3408
             virReportSystemError(setfilecon_errno,
7a3408
                                  _("unable to set security context '%s' on '%s'"),
7a3408
                                  tcon, path);
7a3408
-            if (security_getenforce() == 1)
7a3408
+            /* However, don't claim error if SELinux is in Enforcing mode and
7a3408
+             * we are running as unprivileged user and we really did see EPERM.
7a3408
+             * Otherwise we want to return error if SELinux is Enforcing. */
7a3408
+            if (security_getenforce() == 1 && (setfilecon_errno != EPERM || privileged))
7a3408
                 return -1;
7a3408
         } else {
7a3408
             const char *msg;
7a3408
@@ -939,15 +943,19 @@ virSecuritySELinuxSetFileconHelper(const char *path, char *tcon, bool optional)
7a3408
 }
7a3408
 
7a3408
 static int
7a3408
-virSecuritySELinuxSetFileconOptional(const char *path, char *tcon)
7a3408
+virSecuritySELinuxSetFileconOptional(virSecurityManagerPtr mgr,
7a3408
+                                     const char *path, char *tcon)
7a3408
 {
7a3408
-    return virSecuritySELinuxSetFileconHelper(path, tcon, true);
7a3408
+    bool privileged = virSecurityManagerGetPrivileged(mgr);
7a3408
+    return virSecuritySELinuxSetFileconHelper(path, tcon, true, privileged);
7a3408
 }
7a3408
 
7a3408
 static int
7a3408
-virSecuritySELinuxSetFilecon(const char *path, char *tcon)
7a3408
+virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
7a3408
+                             const char *path, char *tcon)
7a3408
 {
7a3408
-    return virSecuritySELinuxSetFileconHelper(path, tcon, false);
7a3408
+    bool privileged = virSecurityManagerGetPrivileged(mgr);
7a3408
+    return virSecuritySELinuxSetFileconHelper(path, tcon, false, privileged);
7a3408
 }
7a3408
 
7a3408
 static int
7a3408
@@ -1037,7 +1045,7 @@ virSecuritySELinuxRestoreSecurityFileLabel(virSecurityManagerPtr mgr,
7a3408
         VIR_WARN("cannot lookup default selinux label for %s", newpath);
7a3408
         rc = 0;
7a3408
     } else {
7a3408
-        rc = virSecuritySELinuxSetFilecon(newpath, fcon);
7a3408
+        rc = virSecuritySELinuxSetFilecon(mgr, newpath, fcon);
7a3408
     }
7a3408
 
7a3408
  err:
7a3408
@@ -1064,12 +1072,13 @@ virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
7a3408
     switch (tpm->type) {
7a3408
     case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
7a3408
         tpmdev = tpm->data.passthrough.source.data.file.path;
7a3408
-        rc = virSecuritySELinuxSetFilecon(tpmdev, seclabel->imagelabel);
7a3408
+        rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel);
7a3408
         if (rc < 0)
7a3408
             return -1;
7a3408
 
7a3408
         if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {
7a3408
-            rc = virSecuritySELinuxSetFilecon(cancel_path,
7a3408
+            rc = virSecuritySELinuxSetFilecon(mgr,
7a3408
+                                              cancel_path,
7a3408
                                               seclabel->imagelabel);
7a3408
             VIR_FREE(cancel_path);
7a3408
             if (rc < 0) {
7a3408
@@ -1223,22 +1232,26 @@ virSecuritySELinuxSetSecurityImageLabelInternal(virSecurityManagerPtr mgr,
7a3408
         return 0;
7a3408
 
7a3408
     if (disk_seclabel && disk_seclabel->relabel && disk_seclabel->label) {
7a3408
-        ret = virSecuritySELinuxSetFilecon(src->path, disk_seclabel->label);
7a3408
+        ret = virSecuritySELinuxSetFilecon(mgr, src->path, disk_seclabel->label);
7a3408
     } else if (first) {
7a3408
         if (src->shared) {
7a3408
-            ret = virSecuritySELinuxSetFileconOptional(src->path,
7a3408
+            ret = virSecuritySELinuxSetFileconOptional(mgr,
7a3408
+                                                       src->path,
7a3408
                                                        data->file_context);
7a3408
         } else if (src->readonly) {
7a3408
-            ret = virSecuritySELinuxSetFileconOptional(src->path,
7a3408
+            ret = virSecuritySELinuxSetFileconOptional(mgr,
7a3408
+                                                       src->path,
7a3408
                                                        data->content_context);
7a3408
         } else if (secdef->imagelabel) {
7a3408
-            ret = virSecuritySELinuxSetFileconOptional(src->path,
7a3408
+            ret = virSecuritySELinuxSetFileconOptional(mgr,
7a3408
+                                                       src->path,
7a3408
                                                        secdef->imagelabel);
7a3408
         } else {
7a3408
             ret = 0;
7a3408
         }
7a3408
     } else {
7a3408
-        ret = virSecuritySELinuxSetFileconOptional(src->path,
7a3408
+        ret = virSecuritySELinuxSetFileconOptional(mgr,
7a3408
+                                                   src->path,
7a3408
                                                    data->content_context);
7a3408
     }
7a3408
 
7a3408
@@ -1290,17 +1303,18 @@ virSecuritySELinuxSetSecurityDiskLabel(virSecurityManagerPtr mgr,
7a3408
     return 0;
7a3408
 }
7a3408
 
7a3408
-
7a3408
 static int
7a3408
 virSecuritySELinuxSetSecurityHostdevLabelHelper(const char *file, void *opaque)
7a3408
 {
7a3408
     virSecurityLabelDefPtr secdef;
7a3408
-    virDomainDefPtr def = opaque;
7a3408
+    virSecuritySELinuxCallbackDataPtr data = opaque;
7a3408
+    virSecurityManagerPtr mgr = data->mgr;
7a3408
+    virDomainDefPtr def = data->def;
7a3408
 
7a3408
     secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
7a3408
     if (secdef == NULL)
7a3408
         return 0;
7a3408
-    return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
7a3408
+    return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel);
7a3408
 }
7a3408
 
7a3408
 static int
7a3408
@@ -1331,13 +1345,14 @@ virSecuritySELinuxSetSecuritySCSILabel(virSCSIDevicePtr dev,
7a3408
         return 0;
7a3408
 
7a3408
     if (virSCSIDeviceGetShareable(dev))
7a3408
-        return virSecuritySELinuxSetFileconOptional(file,
7a3408
+        return virSecuritySELinuxSetFileconOptional(mgr, file,
7a3408
                                                     data->file_context);
7a3408
     else if (virSCSIDeviceGetReadonly(dev))
7a3408
-        return virSecuritySELinuxSetFileconOptional(file,
7a3408
+        return virSecuritySELinuxSetFileconOptional(mgr, file,
7a3408
                                                     data->content_context);
7a3408
     else
7a3408
-        return virSecuritySELinuxSetFileconOptional(file, secdef->imagelabel);
7a3408
+        return virSecuritySELinuxSetFileconOptional(mgr, file,
7a3408
+                                                    secdef->imagelabel);
7a3408
 }
7a3408
 
7a3408
 static int
7a3408
@@ -1350,6 +1365,8 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
7a3408
     virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
7a3408
     virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
7a3408
     virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
7a3408
+    virSecuritySELinuxCallbackData data = {.mgr = mgr, .def = def};
7a3408
+
7a3408
     int ret = -1;
7a3408
 
7a3408
     /* Like virSecuritySELinuxSetSecurityImageLabelInternal() for a networked
7a3408
@@ -1372,7 +1389,7 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
7a3408
         if (!usb)
7a3408
             goto done;
7a3408
 
7a3408
-        ret = virUSBDeviceFileIterate(usb, virSecuritySELinuxSetSecurityUSBLabel, def);
7a3408
+        ret = virUSBDeviceFileIterate(usb, virSecuritySELinuxSetSecurityUSBLabel, &data);
7a3408
         virUSBDeviceFree(usb);
7a3408
         break;
7a3408
     }
7a3408
@@ -1392,10 +1409,10 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
7a3408
                 virPCIDeviceFree(pci);
7a3408
                 goto done;
7a3408
             }
7a3408
-            ret = virSecuritySELinuxSetSecurityPCILabel(pci, vfioGroupDev, def);
7a3408
+            ret = virSecuritySELinuxSetSecurityPCILabel(pci, vfioGroupDev, &data);
7a3408
             VIR_FREE(vfioGroupDev);
7a3408
         } else {
7a3408
-            ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def);
7a3408
+            ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, &data);
7a3408
         }
7a3408
         virPCIDeviceFree(pci);
7a3408
         break;
7a3408
@@ -1403,7 +1420,6 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
7a3408
 
7a3408
     case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
7a3408
         virDomainHostdevSubsysSCSIHostPtr scsihostsrc = &scsisrc->u.host;
7a3408
-        virSecuritySELinuxCallbackData data = {.mgr = mgr, .def = def};
7a3408
 
7a3408
         virSCSIDevicePtr scsi =
7a3408
             virSCSIDeviceNew(NULL,
7a3408
@@ -1433,7 +1449,8 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
7a3408
 
7a3408
 
7a3408
 static int
7a3408
-virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
7a3408
+virSecuritySELinuxSetSecurityHostdevCapsLabel(virSecurityManagerPtr mgr,
7a3408
+                                              virDomainDefPtr def,
7a3408
                                               virDomainHostdevDefPtr dev,
7a3408
                                               const char *vroot)
7a3408
 {
7a3408
@@ -1455,7 +1472,7 @@ virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
7a3408
             if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0)
7a3408
                 return -1;
7a3408
         }
7a3408
-        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
7a3408
+        ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel);
7a3408
         VIR_FREE(path);
7a3408
         break;
7a3408
     }
7a3408
@@ -1469,7 +1486,7 @@ virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
7a3408
             if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0)
7a3408
                 return -1;
7a3408
         }
7a3408
-        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
7a3408
+        ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel);
7a3408
         VIR_FREE(path);
7a3408
         break;
7a3408
     }
7a3408
@@ -1502,7 +1519,8 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
7a3408
                                                                dev, vroot);
7a3408
 
7a3408
     case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
7a3408
-        return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot);
7a3408
+        return virSecuritySELinuxSetSecurityHostdevCapsLabel(mgr, def,
7a3408
+                                                             dev, vroot);
7a3408
 
7a3408
     default:
7a3408
         return 0;
7a3408
@@ -1707,7 +1725,8 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
7a3408
 
7a3408
 
7a3408
 static int
7a3408
-virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
7a3408
+virSecuritySELinuxSetSecurityChardevLabel(virSecurityManagerPtr mgr,
7a3408
+                                          virDomainDefPtr def,
7a3408
                                           virDomainChrDefPtr dev,
7a3408
                                           virDomainChrSourceDefPtr dev_source)
7a3408
 
7a3408
@@ -1737,13 +1756,15 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
7a3408
     switch (dev_source->type) {
7a3408
     case VIR_DOMAIN_CHR_TYPE_DEV:
7a3408
     case VIR_DOMAIN_CHR_TYPE_FILE:
7a3408
-        ret = virSecuritySELinuxSetFilecon(dev_source->data.file.path,
7a3408
+        ret = virSecuritySELinuxSetFilecon(mgr,
7a3408
+                                           dev_source->data.file.path,
7a3408
                                            imagelabel);
7a3408
         break;
7a3408
 
7a3408
     case VIR_DOMAIN_CHR_TYPE_UNIX:
7a3408
         if (!dev_source->data.nix.listen) {
7a3408
-            if (virSecuritySELinuxSetFilecon(dev_source->data.nix.path,
7a3408
+            if (virSecuritySELinuxSetFilecon(mgr,
7a3408
+                                             dev_source->data.nix.path,
7a3408
                                              imagelabel) < 0)
7a3408
                 goto done;
7a3408
         }
7a3408
@@ -1755,11 +1776,12 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
7a3408
             (virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0))
7a3408
             goto done;
7a3408
         if (virFileExists(in) && virFileExists(out)) {
7a3408
-            if ((virSecuritySELinuxSetFilecon(in, imagelabel) < 0) ||
7a3408
-                (virSecuritySELinuxSetFilecon(out, imagelabel) < 0)) {
7a3408
+            if ((virSecuritySELinuxSetFilecon(mgr, in, imagelabel) < 0) ||
7a3408
+                (virSecuritySELinuxSetFilecon(mgr, out, imagelabel) < 0)) {
7a3408
                 goto done;
7a3408
             }
7a3408
-        } else if (virSecuritySELinuxSetFilecon(dev_source->data.file.path,
7a3408
+        } else if (virSecuritySELinuxSetFilecon(mgr,
7a3408
+                                                dev_source->data.file.path,
7a3408
                                                 imagelabel) < 0) {
7a3408
             goto done;
7a3408
         }
7a3408
@@ -2000,7 +2022,7 @@ virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr,
7a3408
 
7a3408
 
7a3408
 static int
7a3408
-virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
7a3408
+virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr,
7a3408
                                      virDomainDefPtr def,
7a3408
                                      const char *savefile)
7a3408
 {
7a3408
@@ -2010,7 +2032,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
7a3408
     if (!secdef || !secdef->relabel)
7a3408
         return 0;
7a3408
 
7a3408
-    return virSecuritySELinuxSetFilecon(savefile, secdef->imagelabel);
7a3408
+    return virSecuritySELinuxSetFilecon(mgr, savefile, secdef->imagelabel);
7a3408
 }
7a3408
 
7a3408
 
7a3408
@@ -2242,14 +2264,16 @@ virSecuritySELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_U
7a3408
 static int
7a3408
 virSecuritySELinuxSetSecurityChardevCallback(virDomainDefPtr def,
7a3408
                                              virDomainChrDefPtr dev,
7a3408
-                                             void *opaque ATTRIBUTE_UNUSED)
7a3408
+                                             void *opaque)
7a3408
 {
7a3408
+    virSecurityManagerPtr mgr = opaque;
7a3408
+
7a3408
     /* This is taken care of by processing of def->serials */
7a3408
     if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
7a3408
         dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
7a3408
         return 0;
7a3408
 
7a3408
-    return virSecuritySELinuxSetSecurityChardevLabel(def, dev, &dev->source);
7a3408
+    return virSecuritySELinuxSetSecurityChardevLabel(mgr, def, dev, &dev->source);
7a3408
 }
7a3408
 
7a3408
 
7a3408
@@ -2270,10 +2294,11 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
7a3408
         database = dev->data.cert.database;
7a3408
         if (!database)
7a3408
             database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
7a3408
-        return virSecuritySELinuxSetFilecon(database, data->content_context);
7a3408
+        return virSecuritySELinuxSetFilecon(mgr, database, data->content_context);
7a3408
 
7a3408
     case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
7a3408
-        return virSecuritySELinuxSetSecurityChardevLabel(def, NULL, &dev->data.passthru);
7a3408
+        return virSecuritySELinuxSetSecurityChardevLabel(mgr, def, NULL,
7a3408
+                                                         &dev->data.passthru);
7a3408
 
7a3408
     default:
7a3408
         virReportError(VIR_ERR_INTERNAL_ERROR,
7a3408
@@ -2330,7 +2355,7 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
7a3408
     if (virDomainChrDefForeach(def,
7a3408
                                true,
7a3408
                                virSecuritySELinuxSetSecurityChardevCallback,
7a3408
-                               NULL) < 0)
7a3408
+                               mgr) < 0)
7a3408
         return -1;
7a3408
 
7a3408
     if (virDomainSmartcardDefForeach(def,
7a3408
@@ -2343,23 +2368,28 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
7a3408
      * is really a disk, qemu can read and write to it. */
7a3408
     if (def->os.loader && def->os.loader->nvram &&
7a3408
         secdef && secdef->imagelabel &&
7a3408
-        virSecuritySELinuxSetFilecon(def->os.loader->nvram, secdef->imagelabel) < 0)
7a3408
+        virSecuritySELinuxSetFilecon(mgr, def->os.loader->nvram,
7a3408
+                                     secdef->imagelabel) < 0)
7a3408
         return -1;
7a3408
 
7a3408
     if (def->os.kernel &&
7a3408
-        virSecuritySELinuxSetFilecon(def->os.kernel, data->content_context) < 0)
7a3408
+        virSecuritySELinuxSetFilecon(mgr, def->os.kernel,
7a3408
+                                     data->content_context) < 0)
7a3408
         return -1;
7a3408
 
7a3408
     if (def->os.initrd &&
7a3408
-        virSecuritySELinuxSetFilecon(def->os.initrd, data->content_context) < 0)
7a3408
+        virSecuritySELinuxSetFilecon(mgr, def->os.initrd,
7a3408
+                                     data->content_context) < 0)
7a3408
         return -1;
7a3408
 
7a3408
     if (def->os.dtb &&
7a3408
-        virSecuritySELinuxSetFilecon(def->os.dtb, data->content_context) < 0)
7a3408
+        virSecuritySELinuxSetFilecon(mgr, def->os.dtb,
7a3408
+                                     data->content_context) < 0)
7a3408
         return -1;
7a3408
 
7a3408
     if (stdin_path &&
7a3408
-        virSecuritySELinuxSetFilecon(stdin_path, data->content_context) < 0)
7a3408
+        virSecuritySELinuxSetFilecon(mgr, stdin_path,
7a3408
+                                     data->content_context) < 0)
7a3408
         return -1;
7a3408
 
7a3408
     return 0;
7a3408
@@ -2507,7 +2537,7 @@ virSecuritySELinuxGetSecurityMountOptions(virSecurityManagerPtr mgr,
7a3408
 }
7a3408
 
7a3408
 static int
7a3408
-virSecuritySELinuxDomainSetDirLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
7a3408
+virSecuritySELinuxDomainSetDirLabel(virSecurityManagerPtr mgr,
7a3408
                                     virDomainDefPtr def,
7a3408
                                     const char *path)
7a3408
 {
7a3408
@@ -2517,7 +2547,7 @@ virSecuritySELinuxDomainSetDirLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
7a3408
     if (!seclabel || !seclabel->relabel)
7a3408
         return 0;
7a3408
 
7a3408
-    return virSecuritySELinuxSetFilecon(path, seclabel->imagelabel);
7a3408
+    return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel);
7a3408
 }
7a3408
 
7a3408
 virSecurityDriver virSecurityDriverSELinux = {
7a3408
-- 
7a3408
2.5.3
7a3408