Re: [libvirt] [PATCH v3 12/14] security: Label the external swtpm with SELinux labels

On 05/04/2018 04:21 PM, Stefan Berger wrote: > In this patch we label the swtpm process with SELinux labels. We give it the > same label as the QEMU process has. We label its state directory and files > as well. > > The file and process labels now look as follows: > > Directory: /var/lib/libvirt/swtpm > > [root@localhost swtpm]# ls -lZ > total 4 > rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm > > [root@localhost testvm]# ls -lZ > total 8 > -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall > > The log in /var/log/swtpm/libvirt/qemu is labeled as follows: > > -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log > > [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep > system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log > > [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep > system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..] > > Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com&gt; > --- > src/libvirt_private.syms | 1 + > src/qemu/qemu_extdevice.c | 22 ++++++++++- > src/security/security_driver.h | 4 ++ > src/security/security_manager.c | 17 +++++++++ > src/security/security_manager.h | 3 ++ > src/security/security_selinux.c | 82 +++++++++++++++++++++++++++++++++++++++++ > src/security/security_stack.c | 19 ++++++++++ > 7 files changed, 147 insertions(+), 1 deletion(-) > I think this looks OK - not my specialty 0-) though. I see security_manager, selinux, etc. and my eyes start glazing over! Anyway, I assume the reason there's no Restore processing is because everything is deleted at shutdown, right?