On Fri, May 17, 2013 at 09:12:52AM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/17/2013 05:52 AM, Daniel P. Berrange wrote:
> On Wed, May 15, 2013 at 02:36:32PM -0400, dwalsh(a)redhat.com wrote:
>> From: Dan Walsh <dwalsh(a)redhat.com>
>>
>> mcstransd is a translation tool that can translate MCS Labels into human
>> understandable code. I have patched it to watch for translation files in
>> the /run/setrans directory. This allows us to run commands like ps -eZ
>> and see system_u:system_r:svirt_t:Fedora18 rather then
>> system_u:system_r:svirt_t:s0:c1,c2. When used with containers it would
>> make an easy way to list all processes within a container using ps -eZ |
>> grep Fedora18 --- src/security/security_selinux.c | 59
>> ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 58
>> insertions(+), 1 deletion(-)
>>
>> diff --git a/src/security/security_selinux.c
>> b/src/security/security_selinux.c index 5d108b9..cbcd013 100644 ---
>> a/src/security/security_selinux.c +++ b/src/security/security_selinux.c
>> @@ -83,6 +83,57 @@
>> virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr
>> mgr, virDomainTPMDefPtr tpm);
>>
>>
>> +static int +virSecuritySELinuxAddMCSFile(const char *name, +
>> const char *label) +{ + int ret = -1; + char *tmp = NULL; +
>> context_t con = NULL; + + if (virAsprintf(&tmp, "%s/%s",
>> SELINUX_TRANS_DIR, name) < 0) { + virReportOOMError(); +
>> return -1; + } + if (! (con = context_new(label))) { +
>> virReportSystemError(errno, "%s", +
_("unable
>> to allocate security context")); + goto cleanup; + } + if
>> (virFileWriteStr(tmp, context_range_get(con), 0) < 0) { +
>> virReportSystemError(errno, + _("unable to
>> create MCS file %s"), tmp); + goto cleanup; + } + ret = 0;
>> + +cleanup: + VIR_FREE(tmp); + context_free(con); + return ret;
>> +} + +static int +virSecuritySELinuxRemoveMCSFile(const char *name) +{ +
>> char *tmp=NULL; + int ret = -1; + if (virAsprintf(&tmp,
"%s/%s",
>> SELINUX_TRANS_DIR, name) < 0) { + virReportOOMError(); +
>> return -1; + } + if (unlink(tmp) < 0 && errno != ENOENT) { +
>> virReportSystemError(errno, + _("Unable to
>> remove MCS file %s"), tmp); + goto cleanup; + } + ret = 0;
>> + +cleanup: + VIR_FREE(tmp); + return ret; +} + /* * Returns 0 on
>> success, 1 if already reserved, or -1 on fatal error */ @@ -1953,7
>> +2004,7 @@ virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr
>> mgr, } VIR_FREE(secdef->imagelabel);
>>
>> - return 0; + return virSecuritySELinuxRemoveMCSFile(def->name); }
>>
>>
>> @@ -2047,10 +2098,16 @@
>> virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr
>> ATTRIBUTE_UN return -1; }
>>
>> + if (virSecuritySELinuxAddMCSFile(def->name, secdef->label) < 0) {
+
>> if (security_getenforce() == 1) + return -1; + } +
>
> As you mentioned offlist, this is not going to work because the
> SetProcessLabel function is called in a child process, where you can't
> guarantee to see the host's /run directory.
>
> Instead it should be done in the GenSecurityLabel function which is called
> from a safe context.
>
>
> Daniel
>
Fine, but what about the case where the user is running libvirt and libvirt is
not allowed to write to /run/setrans. Should we just silently fail in this case?
We need to pass in the 'bool privileged' flag from the QEMU driver
to the virSecurityManagerNew() function. Then the SELinux driver
can skip this mcsfile code if !privileged.
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|