[PATCH 31/36] security: selinux: Handle security labelling of FD-passed images
Unfortunately unlike with DAC we can't simply ignore labelling for the
FD and it also influences the on-disk state.
Thus we need to relabel the FD and we also store the existing label in
cases when the user will request best-effort label replacement.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/conf/storage_source_conf.c | 1 +
src/conf/storage_source_conf.h | 3 +++
src/security/security_selinux.c | 32 +++++++++++++++++++++++++++++++-
3 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/src/conf/storage_source_conf.c b/src/conf/storage_source_conf.c
index c16016aabc..c647fc3c2f 100644
--- a/src/conf/storage_source_conf.c
+++ b/src/conf/storage_source_conf.c
@@ -1399,6 +1399,7 @@ virStorageSourceFDTupleFinalize(GObject *object)
g_free(fdt->fds);
g_free(fdt->testfds);
+ g_free(fdt->selinuxLabel);
G_OBJECT_CLASS(vir_storage_source_fd_tuple_parent_class)->finalize(object);
}
diff --git a/src/conf/storage_source_conf.h b/src/conf/storage_source_conf.h
index f981261ff4..14a6825d54 100644
--- a/src/conf/storage_source_conf.h
+++ b/src/conf/storage_source_conf.h
@@ -269,6 +269,9 @@ struct _virStorageSourceFDTuple {
/* connection this FD tuple is associated with for auto-closing */
virConnect *conn;
+
+ /* original selinux label when we relabel the image */
+ char *selinuxLabel;
};
G_DECLARE_FINAL_TYPE(virStorageSourceFDTuple, vir_storage_source_fd_tuple, VIR,
STORAGE_SOURCE_FD_TUPLE, GObject);
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 93cc12407a..a42d86216a 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1741,6 +1741,19 @@ virSecuritySELinuxRestoreImageLabelSingle(virSecurityManager *mgr,
if (src->readonly || src->shared)
return 0;
+ if (virStorageSourceIsFD(src)) {
+ if (migrated)
+ return 0;
+
+ if (!src->fdtuple ||
+ !src->fdtuple->selinuxLabel ||
+ src->fdtuple->nfds == 0)
+ return 0;
+
+ ignore_value(virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0],
+ src->fdtuple->selinuxLabel));
+ return 0;
+ }
/* If we have a shared FS and are doing migration, we must not change
* ownership, because that kills access on the destination host which is
@@ -1888,7 +1901,24 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr,
path = vfioGroupDev;
}
- ret = virSecuritySELinuxSetFilecon(mgr, path, use_label, remember);
+ if (virStorageSourceIsFD(src)) {
+ /* We can only really do labelling when we have the FD as the path
+ * may not be accessible for us */
+ if (!src->fdtuple || src->fdtuple->nfds == 0)
+ return 0;
+
+ /* force a writable label for the image if requested */
+ if (src->fdtuple->writable && secdef->imagelabel)
+ use_label = secdef->imagelabel;
+
+ /* store the existing selinux label for the image */
+ if (!src->fdtuple->selinuxLabel)
+ fgetfilecon_raw(src->fdtuple->fds[0],
&src->fdtuple->selinuxLabel);
+
+ ret = virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0], use_label);
+ } else {
+ ret = virSecuritySELinuxSetFilecon(mgr, path, use_label, remember);
+ }
if (ret == 1 && !disk_seclabel) {
/* If we failed to set a label, but virt_use_nfs let us
--
2.38.1