On 9/20/21 5:57 PM, Ján Tomko wrote:
On a Monday in 2021, Michal Privoznik wrote:
> In selinux driver there's virSecuritySELinuxSetFileconImpl()
> which is responsible for actual setting of SELinux label on given
> file and handling possible failures. In fhe failure handling code
> we decide whether failure is fatal or not. But there is a bug:
> depending on SELinux mode (Permissive vs. Enforcing) the ENOENT
> is either ignored or considered fatal.
> This not correct - ENOENT
> must always be fatal - QEMU will fail opening it anyways.
>
> Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=2004850
It won't get as far as trying to start QEMU. The error message in the
linked bug:
error: unable to stat: /var/lib/libvirt/images/slic.dat: No such file
or directory
comes from the DAC driver.
Correct. I should have rephrased that.
IIUC in virSecurityStackTransactionCommit we happily commit the SELinux
changes, fail to commit the DAC changes, but the rollback calling
virSecurityManagerTransactionAbort does nothing.
Indeed.
And since qemuSecuritySetAllLabel does not complete successfully,
qemuProcessLaunch
does not ask its callers to restore the labels.
Yes.
Michal