From nobody Sun May 5 15:13:59 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 149813252043849.352514192227886; Thu, 22 Jun 2017 04:55:20 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1E08630C453; Thu, 22 Jun 2017 11:55:17 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E9D9258829; Thu, 22 Jun 2017 11:55:15 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2F99F6EF59; Thu, 22 Jun 2017 11:55:14 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v5MBtCuX017518 for ; Thu, 22 Jun 2017 07:55:12 -0400 Received: by smtp.corp.redhat.com (Postfix) id A182B5D968; Thu, 22 Jun 2017 11:55:12 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.192]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2B63B5D967 for ; Thu, 22 Jun 2017 11:55:08 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 1E08630C453 Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 1E08630C453 From: Michal Privoznik To: libvir-list@redhat.com Date: Thu, 22 Jun 2017 13:55:05 +0200 Message-Id: <73b9750d36141f74010443f235300c9632b73a9d.1498132505.git.mprivozn@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH] security: Don't skip relabel for all chardevs X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 22 Jun 2017 11:55:18 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Our commit e13e8808f9 was way too generic. Currently, virtlogd is used only for chardevs type of file and nothing else. True, we must not relabel the path in this case, but we have to in all other cases. For instance, if you want to have a physical console attached to your guest: Starting such domain fails because qemu doesn't have access to /dev/ttyS0 because we haven't relabelled the path. Signed-off-by: Michal Privoznik Reviewed-by: John Ferlan --- src/security/security_dac.c | 8 ++++++-- src/security/security_selinux.c | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 79941f480..ca7a6af6d 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1179,7 +1179,9 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr m= gr, if (chr_seclabel && !chr_seclabel->relabel) return 0; =20 - if (!chr_seclabel && chardevStdioLogd) + if (!chr_seclabel && + dev_source->type =3D=3D VIR_DOMAIN_CHR_TYPE_FILE && + chardevStdioLogd) return 0; =20 if (chr_seclabel && chr_seclabel->label) { @@ -1261,7 +1263,9 @@ virSecurityDACRestoreChardevLabel(virSecurityManagerP= tr mgr, if (chr_seclabel && !chr_seclabel->relabel) return 0; =20 - if (!chr_seclabel && chardevStdioLogd) + if (!chr_seclabel && + dev_source->type =3D=3D VIR_DOMAIN_CHR_TYPE_FILE && + chardevStdioLogd) return 0; =20 switch ((virDomainChrType) dev_source->type) { diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 26137f6d8..2e3082b7a 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2199,7 +2199,9 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerP= tr mgr, if (chr_seclabel && !chr_seclabel->relabel) return 0; =20 - if (!chr_seclabel && chardevStdioLogd) + if (!chr_seclabel && + dev_source->type =3D=3D VIR_DOMAIN_CHR_TYPE_FILE && + chardevStdioLogd) return 0; =20 if (chr_seclabel) @@ -2274,7 +2276,9 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityMana= gerPtr mgr, if (chr_seclabel && !chr_seclabel->relabel) return 0; =20 - if (!chr_seclabel && chardevStdioLogd) + if (!chr_seclabel && + dev_source->type =3D=3D VIR_DOMAIN_CHR_TYPE_FILE && + chardevStdioLogd) return 0; =20 switch (dev_source->type) { --=20 2.13.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list