On 03/10/2011 05:19 AM, Daniel P. Berrange wrote:
On Wed, Mar 09, 2011 at 07:18:32PM -0700, Eric Blake wrote:
SELinux labeling and cgroup ACLs aren't required if we hand a pre-opened fd to qemu. All the more reason to love fd: migration.
I know that holds true for cgroups which checks on open() only, but are you absolutely sure about for SELinux? SELinux checks FDs on every single syscall. I'm really fuzzy about what happens to an FD's associated security context when you pass it over an UNIX socket using SCM_RIGHTS. I think it might 'just work' as we already do this with TAP devices and don't label them, but it could be we have a generic policy rule related to TAP devices.
Whether surprising or not, it worked without doing any labeling on the fd. I don't know if that's a hole in SELinux. In fact, it's more than just the SELinux labeling - it's also the DAC labeling (that is, pre-patch, the file is owned by qemu:qemu during the migration, then chown'd back to root:root on completion; post-patch, the file is never chown'd in the first place, and it is the SCM_RIGHTS of the open fd that lets a non-root process write into a 600 root:root file). But that's not a hole (it's always been possible in Unix to do things on open fds where you can't do the same by attempting open() yourself on the same underlying file - for example, open(file,O_CREAT|O_RDWR,0000) lets you read and write into a temporary fd that not even another process with the same uid can reopen. Or put another way, an open fd is stateful - it remembers the permissions at the time of the open, and not is not impacted by any intervening chmod or chown of the underyling file).
If it passed testing with SELinux in enforcing mode, then ACK
It does indeed pass (to my relief). -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org