[PATCH v2 0/2] selinux: Don't ignore ENOENT in Permissive mode
This is just a resend of the following series: https://listman.redhat.com/archives/libvir-list/2021-October/msg00738.html Michal Prívozník (2): selinux: Swap two blocks handling setfilecon_raw() failure selinux: Don't ignore ENOENT in Permissive mode src/security/security_selinux.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) -- 2.39.1
In virSecuritySELinuxSetFileconImpl() we have code that handles setfilecon_raw() failure. The code consists of two blocks: one for dealing with shared filesystem like NFS (errno is ENOTSUP or EROFS) and the other block that's dealing with EPERM for privileged daemon. Well, the order of these two blocks is a bit confusing because the comment above them mentions the NFS case but EPERM block follows. Swap these two blocks to make it less confusing. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/security_selinux.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 4d4a1705e6..e9c4051a98 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1261,22 +1261,9 @@ virSecuritySELinuxSetFileconImpl(const char *path, * boolean tunables to allow it ... */ VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR - if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP && - setfilecon_errno != EROFS) { + if (setfilecon_errno == EOPNOTSUPP || setfilecon_errno == ENOTSUP || + setfilecon_errno == EROFS) { VIR_WARNINGS_RESET - /* However, don't claim error if SELinux is in Enforcing mode and - * we are running as unprivileged user and we really did see EPERM. - * Otherwise we want to return error if SELinux is Enforcing. */ - if (security_getenforce() == 1 && - (setfilecon_errno != EPERM || privileged)) { - virReportSystemError(setfilecon_errno, - _("unable to set security context '%s' on '%s'"), - tcon, path); - return -1; - } - VIR_WARN("unable to set security context '%s' on '%s' (errno %d)", - tcon, path, setfilecon_errno); - } else { const char *msg; if (virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS) == 1 && security_get_boolean_active("virt_use_nfs") != 1) { @@ -1290,6 +1277,19 @@ virSecuritySELinuxSetFileconImpl(const char *path, VIR_INFO("Setting security context '%s' on '%s' not supported", tcon, path); } + } else { + /* However, don't claim error if SELinux is in Enforcing mode and + * we are running as unprivileged user and we really did see EPERM. + * Otherwise we want to return error if SELinux is Enforcing. */ + if (security_getenforce() == 1 && + (setfilecon_errno != EPERM || privileged)) { + virReportSystemError(setfilecon_errno, + _("unable to set security context '%s' on '%s'"), + tcon, path); + return -1; + } + VIR_WARN("unable to set security context '%s' on '%s' (errno %d)", + tcon, path, setfilecon_errno); } return 1; -- 2.39.1
In selinux driver there's virSecuritySELinuxSetFileconImpl() which is responsible for actual setting of SELinux label on given file and handling possible failures. In fhe failure handling code we decide whether failure is fatal or not. But there is a bug: depending on SELinux mode (Permissive vs. Enforcing) the ENOENT is either ignored or considered fatal. This not correct - ENOENT must always be fatal for couple of reasons: - In virSecurityStackTransactionCommit() the seclabels are set for individual secdrivers (e.g. SELinux first and then DAC), but if one secdriver succeeds and another one fails, then no rollback is performed for the successful one leaking remembered labels. - QEMU would fail opening the file anyways (if neither of secdrivers reported error and thus cancelled domain startup) Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004850 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/security_selinux.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index e9c4051a98..2e9efa78f4 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1280,9 +1280,11 @@ virSecuritySELinuxSetFileconImpl(const char *path, } else { /* However, don't claim error if SELinux is in Enforcing mode and * we are running as unprivileged user and we really did see EPERM. - * Otherwise we want to return error if SELinux is Enforcing. */ - if (security_getenforce() == 1 && - (setfilecon_errno != EPERM || privileged)) { + * Otherwise we want to return error if SELinux is Enforcing, or we + * saw EPERM regardless of SELinux mode. */ + if (setfilecon_errno == ENOENT || + (security_getenforce() == 1 && + (setfilecon_errno != EPERM || privileged))) { virReportSystemError(setfilecon_errno, _("unable to set security context '%s' on '%s'"), tcon, path); -- 2.39.1
On Fri, Feb 17, 2023 at 04:21:26PM +0100, Michal Privoznik wrote:
This is just a resend of the following series:
https://listman.redhat.com/archives/libvir-list/2021-October/msg00738.html
Michal Prívozník (2): selinux: Swap two blocks handling setfilecon_raw() failure selinux: Don't ignore ENOENT in Permissive mode
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
src/security/security_selinux.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-)
-- 2.39.1
participants (2)
-
Martin Kletzander -
Michal Privoznik