Change label of fusefs mounted at /proc/meminfo in lxc containers

We do not want to allow contained applications to be able to read fusefs_t.
So we want /proc/meminfo label to match the system default proc_t.

Fix checking of error codes

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 8bad3144f4958de4a59766bbd6bd09bc69485c58..461eb5f3d54af602a483ea0234fca6c51199908d 100644 (file)
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -52,6 +52,10 @@
 # include <blkid/blkid.h>
 #endif
 
+#if WITH_SELINUX
+# include <selinux/selinux.h>
+#endif
+
 #include "virerror.h"
 #include "virlog.h"
 #include "lxc_container.h"
@@ -756,6 +760,26 @@ static int lxcContainerMountProcFuse(virDomainDefPtr def)
                            def->name)) < 0)
         return ret;
 
+# if WITH_SELINUX
+    if (is_selinux_enabled() > 0) {
+        security_context_t scon;
+        ret = getfilecon("/proc/meminfo", &scon);
+        if (ret < 0) {
+            virReportSystemError(errno,
+                                 _("Failed to get security context of %s for /proc/meminfo mount point"),
+                                 meminfo_path);
+            return ret;
+        }
+        ret = setfilecon(meminfo_path, scon);
+        freecon(scon);
+        if (ret < 0) {
+            virReportSystemError(errno,
+                                 _("Failed to set security context of %s for /proc/meminfo mount point"),
+                                 meminfo_path);
+            return ret;
+        }
+    }
+# endif
     if ((ret = mount(meminfo_path, "/proc/meminfo",
                      NULL, MS_BIND, NULL)) < 0) {
         virReportSystemError(errno,