On 04.11.2016 17:32, Martin Pitt wrote:
Hello Michal,
Michal Privoznik [2016-11-04 8:47 +0100]:
That means that whenever a VM is being started up, libvirtd (our daemon we have) relabels all the necessary paths that QEMU process (representing VM) can touch.
Does that mean it's shipping an udev rule that does that? Or actually listens to uevents by itself (possibly via libudev) and applies the labels?
No. At the domain startup phase we know all the devices (paths) domain is configured to have. So we iterate over them and chown()/setfilecon_raw() over them. BTW: domains is how we refer to VMs in libvirt terminology.
However, I'm facing an issue that I don't know how to fix. In some cases QEMU can close & reopen a block device. However, closing a block device triggers an event and hence if there is a rule that sets a security label on a device the QEMU process is unable to reopen the device again.
Is that triggering the above libvirtd action (in the daemon via libudev or via an udev rule), or is that something else?
No, it's triggering other rules that user may already have. For instance: # cat /etc/udev/rules.d/51-qemu.rules KERNEL=="sd*", GROUP="qemu"
My question is, whet we can do to prevent udev from mangling with our security labels that we've set on the devices?
Sorry for my ignorance, but my question in return is: What's the udev rule that mangles with it in the first place? I don't see any such rule in upstream systemd or in Debian/Ubuntu, but it's of course possible that Fedora ships such a rule via another package.
Frankly, I have no idea where does the rule come from either. But no matter what I guess we should have a way to skip devices assigned to a domain when it comes to rules execution.
One of the ideas our lead developer had was for libvirt to set some kind of udev label on devices managed by libvirt (when setting up security labels) and then whenever udev sees such labelled device it won't touch it at all (this could be achieved by a rule perhaps?). Later, when domain is shutting down libvirt removes that label. But I don't think setting an arbitrary label on devices is supported, is it?
It actually is -- they are called "tags" (TAG+=) and "properties" (ENV{PROPNAME}="foo"), see udev(7). So indeed the most straightforward way would be to tag or set a property on those devices which you want to handle in libvirtd yourself, and then add something like
TAG=="libvirtd", GOTO="skip_selinux_context" [... original rule that changes context goes here ..] LABEL="skip_selinux_context"
I fear that this will not work because other rule may have already changed the label. BTW: I don't see an API to add tag to a device. I only see API to check if device has given tag. Libvirt's written in C so something like udev_device_add_tag() is needed if we were to go with tags (which again I think it's not helpful enough). Michal