8:30 a.m.
If a domain is explicitly configured with <seclabel type="none"/> we
correctly ensure that no labeling will be done by setting
norelabel=true. However, if no seclabel element is present in domain XML
and hypervisor is configured not to confine domains by default, we only
set type to "none" without turning off relabeling. Thus if such a domain
is being started, security driver wants to relabel resources with
default label, which doesn't make any sense.
Moreover, with SELinux security driver, the generated image label lacks
"s0" sensitivity, which causes setfilecon() fail with EINVAL in
enforcing mode.
---
src/security/security_manager.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 2e1be4d..44ab6fb 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -309,10 +309,12 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm)
{
if (vm->seclabel.type == VIR_DOMAIN_SECLABEL_DEFAULT) {
- if (mgr->defaultConfined)
+ if (mgr->defaultConfined) {
vm->seclabel.type = VIR_DOMAIN_SECLABEL_DYNAMIC;
- else
+ } else {
vm->seclabel.type = VIR_DOMAIN_SECLABEL_NONE;
+ vm->seclabel.norelabel = true;
+ }
}
if ((vm->seclabel.type == VIR_DOMAIN_SECLABEL_NONE) &&
--
1.7.11.1
11:14 a.m.
On Wed, Jul 25, 2012 at 03:30:28PM +0200, Jiri Denemark wrote:
If a domain is explicitly configured with <seclabel
type="none"/> we
correctly ensure that no labeling will be done by setting
norelabel=true. However, if no seclabel element is present in domain XML
and hypervisor is configured not to confine domains by default, we only
set type to "none" without turning off relabeling. Thus if such a domain
is being started, security driver wants to relabel resources with
default label, which doesn't make any sense.
Moreover, with SELinux security driver, the generated image label lacks
"s0" sensitivity, which causes setfilecon() fail with EINVAL in
enforcing mode.
---
src/security/security_manager.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 2e1be4d..44ab6fb 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -309,10 +309,12 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm)
{
if (vm->seclabel.type == VIR_DOMAIN_SECLABEL_DEFAULT) {
- if (mgr->defaultConfined)
+ if (mgr->defaultConfined) {
vm->seclabel.type = VIR_DOMAIN_SECLABEL_DYNAMIC;
- else
+ } else {
vm->seclabel.type = VIR_DOMAIN_SECLABEL_NONE;
+ vm->seclabel.norelabel = true;
+ }
}
if ((vm->seclabel.type == VIR_DOMAIN_SECLABEL_NONE) &&
ACK, I see if the user requested type=none in the XML, then we
have already set norelabel = true, in the XML parser.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
12:01 p.m.
On Fri, Jul 27, 2012 at 17:14:41 +0100, Daniel P. Berrange wrote:
On Wed, Jul 25, 2012 at 03:30:28PM +0200, Jiri Denemark wrote:
> If a domain is explicitly configured with <seclabel type="none"/>
we
> correctly ensure that no labeling will be done by setting
> norelabel=true. However, if no seclabel element is present in domain XML
> and hypervisor is configured not to confine domains by default, we only
> set type to "none" without turning off relabeling. Thus if such a domain
> is being started, security driver wants to relabel resources with
> default label, which doesn't make any sense.
>
> Moreover, with SELinux security driver, the generated image label lacks
> "s0" sensitivity, which causes setfilecon() fail with EINVAL in
> enforcing mode.
ACK, I see if the user requested type=none in the XML, then we
have already set norelabel = true, in the XML parser.
Thanks, pushed.
Jirka
4501
days inactive
4503
days old
2 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Jiri Denemark