selinux: avoid memory overhead of matchpathcon

author Eric Blake <eblake@redhat.com>

Wed, 1 Dec 2010 01:22:54 +0000 (18:22 -0700)

committer Eric Blake <eblake@redhat.com>

Tue, 14 Dec 2010 00:01:57 +0000 (17:01 -0700)
author Eric Blake <eblake@redhat.com>
Wed, 1 Dec 2010 01:22:54 +0000 (18:22 -0700)
committer Eric Blake <eblake@redhat.com>
Tue, 14 Dec 2010 00:01:57 +0000 (17:01 -0700)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c

index 2a4517207115d41df14abaec0aeee94f2fc55900..37539c262d20a9d0e84e0a4563e30acface1c336 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -14,6 +14,7 @@
   */
  #include <config.h>
  #include <selinux/selinux.h>
+#include <selinux/label.h>
  #include <selinux/context.h>
  #include <sys/types.h>
  #include <sys/stat.h>
@@ -362,6 +363,7 @@ SELinuxRestoreSecurityFileLabel(const char *path)
  {
      struct stat buf;
      security_context_t fcon = NULL;
+    struct selabel_handle *handle = NULL;
      int rc = -1;
      char *newpath = NULL;
      char ebuf[1024];
@@ -380,14 +382,16 @@ SELinuxRestoreSecurityFileLabel(const char *path)
          goto err;
      }
  
-    if (matchpathcon(newpath, buf.st_mode, &fcon) == 0)  {
-        rc = SELinuxSetFilecon(newpath, fcon);
+    if ((handle = selabel_open(SELABEL_CTX_FILE, NULL, 0)) == NULL ||
+        selabel_lookup(handle, &fcon, newpath, buf.st_mode) < 0) {
+        VIR_WARN("cannot lookup default selinux label for %s", newpath);
      } else {
-        VIR_WARN("cannot lookup default selinux label for %s",
-                 newpath);
+        rc = SELinuxSetFilecon(newpath, fcon);
      }
  
  err:
+    if (handle)
+        selabel_close(handle);
      freecon(fcon);
      VIR_FREE(newpath);
      return rc;
author	Eric Blake <eblake@redhat.com>
	Wed, 1 Dec 2010 01:22:54 +0000 (18:22 -0700)
committer	Eric Blake <eblake@redhat.com>
	Tue, 14 Dec 2010 00:01:57 +0000 (17:01 -0700)