[libvirt] [PATCH] selinux: Avoid label reservations for type = none during restart
The problem is libvirt kills the guests during libvirt restart if more than guest has security type as none. This is because, libvirt as part of guest- reconnect tries to reserve the security labels. In case of type=none, the range of security context happen to be same for several guests. During reservation, the second attempt to reserve the same range fails and the Guests would be killed. The fix is to avoid reserving labels for type = none during libvirt restart. Signed-off-by: Shivaprasad G Bhat <sbhat@linux.vnet.ibm.com> --- src/security/security_selinux.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 008c58c..2f8a7f2 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -739,7 +739,8 @@ virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr, virSecurityLabelDefPtr seclabel; seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC) + if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC || + seclabel->type == VIR_DOMAIN_SECLABEL_NONE) return 0; if (getpidcon_raw(pid, &pctx) == -1) {
Hi, Could someone please help me with review for this patch? Thanks and Regards, Shiva ---------- Forwarded message ---------- From: Shivaprasad G Bhat <shivaprasadbhat@gmail.com> Date: Tue, Jun 10, 2014 at 5:12 PM Subject: [libvirt] [PATCH] selinux: Avoid label reservations for type = none during restart To: libvir-list@redhat.com The problem is libvirt kills the guests during libvirt restart if more than guest has security type as none. This is because, libvirt as part of guest- reconnect tries to reserve the security labels. In case of type=none, the range of security context happen to be same for several guests. During reservation, the second attempt to reserve the same range fails and the Guests would be killed. The fix is to avoid reserving labels for type = none during libvirt restart. Signed-off-by: Shivaprasad G Bhat <sbhat@linux.vnet.ibm.com> --- src/security/security_selinux.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 008c58c..2f8a7f2 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -739,7 +739,8 @@ virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr, virSecurityLabelDefPtr seclabel; seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC) + if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC || + seclabel->type == VIR_DOMAIN_SECLABEL_NONE) return 0; if (getpidcon_raw(pid, &pctx) == -1) { -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 10.06.2014 13:42, Shivaprasad G Bhat wrote:
The problem is libvirt kills the guests during libvirt restart if more than guest has security type as none. This is because, libvirt as part of guest- reconnect tries to reserve the security labels. In case of type=none, the range of security context happen to be same for several guests. During reservation, the second attempt to reserve the same range fails and the Guests would be killed. The fix is to avoid reserving labels for type = none during libvirt restart.
I think the major point is, that for type=none libvirt (according to the docs) should not generate seclabel at all (either for given security model or for all models). I'd expect such explanation in commit message.
Signed-off-by: Shivaprasad G Bhat <sbhat@linux.vnet.ibm.com> --- src/security/security_selinux.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 008c58c..2f8a7f2 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -739,7 +739,8 @@ virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr, virSecurityLabelDefPtr seclabel;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC) + if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC || + seclabel->type == VIR_DOMAIN_SECLABEL_NONE)
While technically this is okay, I find it nicer if the three conditions are on separate lines. But maybe I'm too picky O:-)
return 0;
if (getpidcon_raw(pid, &pctx) == -1) {
I feel bad demanding v2, but the commit message needs fixing. But hey - you're on the right track! Michal
On Wed, Sep 3, 2014 at 9:45 PM, Michal Privoznik <mprivozn@redhat.com> wrote:
On 10.06.2014 13:42, Shivaprasad G Bhat wrote:
The problem is libvirt kills the guests during libvirt restart if more than guest has security type as none. This is because, libvirt as part of guest- reconnect tries to reserve the security labels. In case of type=none, the range of security context happen to be same for several guests. During reservation, the second attempt to reserve the same range fails and the Guests would be killed. The fix is to avoid reserving labels for type = none during libvirt restart.
I think the major point is, that for type=none libvirt (according to the docs) should not generate seclabel at all (either for given security model or for all models). I'd expect such explanation in commit message.
Signed-off-by: Shivaprasad G Bhat <sbhat@linux.vnet.ibm.com> --- src/security/security_selinux.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 008c58c..2f8a7f2 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -739,7 +739,8 @@ virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr, virSecurityLabelDefPtr seclabel;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC) + if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC || + seclabel->type == VIR_DOMAIN_SECLABEL_NONE)
While technically this is okay, I find it nicer if the three conditions are on separate lines. But maybe I'm too picky O:-)
return 0;
if (getpidcon_raw(pid, &pctx) == -1) {
I feel bad demanding v2, but the commit message needs fixing. But hey - you're on the right track!
Michal
Thanks Michal.. Sent you the V2. Regards, Shiva
participants (3)
-
Michal Privoznik -
Shivaprasad bhat -
Shivaprasad G Bhat