[libvirt] [PATCH] qemu: fix regression with fd labeling on migration
My earlier testing for commit 34fa0de0 was done while starting
just-built libvirt from an unconfined_t shell, where the fds happened
to work when transferring to qemu. But when installed and run under
virtd_t, failure to label the raw file (with no compression) or the
pipe (with compression) triggers SELinux failures when passing fds
over SCM_RIGHTS to svirt_t qemu.
* src/qemu/qemu_migration.c (qemuMigrationToFile): When passing
FDs, make sure they are labeled.
---
This copies the fd-labeling approach added in commit 34a19dda1.
With this patch, I tested both unconfined_t and virtd_t SELinux
process labels for libvirtd (shell start vs. init start).
virsh managedsave dom/virsh start dom
works for both raw and compressed save_image_format, both contexts
virsh save dom file/virsh restore file
works for raw save_image_format, both contexts
works for compressed with virtd_t context
save fails for compressed with unconfined_t context, with the failure
looking identical to the previously-reported failure for restore
in the same settings (https://bugzilla.redhat.com/show_bug.cgi?id=691499)
So I'm reasonably confident that this is a good patch.
src/qemu/qemu_migration.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 98b9d01..43741e1 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -1304,8 +1304,12 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr
vm,
if (qemuCaps && qemuCapsGet(qemuCaps, QEMU_CAPS_MIGRATE_QEMU_FD) &&
(!compressor || pipe(pipeFD) == 0)) {
/* All right! We can use fd migration, which means that qemu
- * doesn't have to open() the file, so we don't have to futz
- * around with granting access or revoking it later. */
+ * doesn't have to open() the file, so while we still have to
+ * grant SELinux access, we can do it on fd and avoid cleanup
+ * later, as well as skip futzing with cgroup. */
+ if (virSecurityManagerSetFDLabel(driver->securityManager, vm,
+ compressor ? pipeFD[1] : fd) < 0)
+ goto cleanup;
is_reg = true;
bypassSecurityDriver = true;
} else {
--
1.7.4