From nobody Tue May 14 00:28:28 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1656420649136304.51075668991894; Tue, 28 Jun 2022 05:50:49 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-460-U2BeLLgcO8OLlm5gWFi-jQ-1; Tue, 28 Jun 2022 08:50:43 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C29EC3C11064; Tue, 28 Jun 2022 12:50:14 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 26B4E492CA4; Tue, 28 Jun 2022 12:50:11 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id E744A194704D; Tue, 28 Jun 2022 12:50:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 0555119466DF for ; Tue, 28 Jun 2022 12:33:45 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id D8D3EC26E98; Tue, 28 Jun 2022 12:33:45 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D41FBC15D40 for ; Tue, 28 Jun 2022 12:33:45 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id BBE62802D1C for ; Tue, 28 Jun 2022 12:33:45 +0000 (UTC) Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-501-ngzoCNqRPba-hal2v55R_A-1; Tue, 28 Jun 2022 08:33:43 -0400 Received: by mail-qk1-f178.google.com with SMTP id k10so9396934qke.9 for ; Tue, 28 Jun 2022 05:33:42 -0700 (PDT) Received: from ganymede (c-71-207-56-247.hsd1.pa.comcast.net. [71.207.56.247]) by smtp.gmail.com with ESMTPSA id de43-20020a05620a372b00b006a2f5ea4a29sm11016139qkb.46.2022.06.28.05.33.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Jun 2022 05:33:41 -0700 (PDT) X-MC-Unique: U2BeLLgcO8OLlm5gWFi-jQ-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: ngzoCNqRPba-hal2v55R_A-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=07mxPyqytc6aukPDG1L+g2vMQtuxW085wzeAMVlxI2Y=; b=Xbeg/RauxEVbNjg7h98jDK2f/haRQY/eDEm+SRcenQ0ca2TzuT2BwCDMBwKiCH/sBP mGuDpWfd/pnYV7JOO88+ikeDPE87R38iCLYWcMUFzsz82UZ1j6SbeJEy70kVFCKr1gM4 LtaiTy1KHsIOtjdTCYyIL6q+uKHa4wNSKhaq+hCU+cfzp1A6XN6RMiOxzC72Or05hn/Z QgryaoaEQbPepz4vdV+EswOiC0b8DSmaKBiTSet4jbAX5Cr2mUIIvy0xCNOuMAdo39Nc 7jqZHiDKdr0XxmSbBGv/CoL1XtIVyhfTgVfRVMkBbBnPC1gQ/PP47QOsYfez203BFR1h /RZA== X-Gm-Message-State: AJIora/Y3U7o8Tl215sbTnbDgtcABX8xRMHGEqynRYvei5wfxhxE3Sno i2wHzkRdCJzI1pRNtV0StJivUsqflwnsOg== X-Google-Smtp-Source: AGRyM1sAhNEQjMVTT3cmHrku7+frLSb7GuYXKBg+opbhlOwS7OEAzFln5LuCAQBrzwW5RCKrpU+04A== X-Received: by 2002:a37:68c8:0:b0:6ae:ffb1:8495 with SMTP id d191-20020a3768c8000000b006aeffb18495mr11415812qkc.463.1656419622256; Tue, 28 Jun 2022 05:33:42 -0700 (PDT) From: David Michael To: libvir-list@redhat.com Subject: [PATCH] security_selinux.c: Relabel existing mode="bind" UNIX sockets Date: Tue, 28 Jun 2022 08:33:41 -0400 Message-ID: <871qv9ezmi.fsf@bigbadwolfsecurity.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 X-Mailman-Approved-At: Tue, 28 Jun 2022 12:50:10 +0000 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.9 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-ZM-MESSAGEID: 1656420649665100001 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This supports sockets created by libvirt and passed by FD using the same method as in security_dac.c. Signed-off-by: David Michael Reviewed-by: Michal Privoznik --- Hi, Custom SELinux labels are not applied to sockets when they have mode=3D"bind", but other security models (DAC) allow changing these sockets. Can the same method be used to support SELinux? Thanks. David src/security/security_selinux.c | 6 ++++-- tests/securityselinuxlabeldata/chardev.txt | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index e2f34a27dc..8b258c9e36 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2541,7 +2541,9 @@ virSecuritySELinuxSetChardevLabel(virSecurityManager = *mgr, break; =20 case VIR_DOMAIN_CHR_TYPE_UNIX: - if (!dev_source->data.nix.listen) { + if (!dev_source->data.nix.listen || + (dev_source->data.nix.path && + virFileExists(dev_source->data.nix.path))) { if (virSecuritySELinuxSetFilecon(mgr, dev_source->data.nix.path, imagelabel, @@ -2618,7 +2620,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityMana= ger *mgr, case VIR_DOMAIN_CHR_TYPE_UNIX: if (!dev_source->data.nix.listen) { if (virSecuritySELinuxRestoreFileLabel(mgr, - dev_source->data.file.p= ath, + dev_source->data.nix.pa= th, true) < 0) goto done; } diff --git a/tests/securityselinuxlabeldata/chardev.txt b/tests/securitysel= inuxlabeldata/chardev.txt index 3f4b6302b9..bdb367f7a5 100644 --- a/tests/securityselinuxlabeldata/chardev.txt +++ b/tests/securityselinuxlabeldata/chardev.txt @@ -2,6 +2,6 @@ /plain.dev;system_u:object_r:svirt_image_t:s0:c41,c264 /plain.fifo;system_u:object_r:svirt_image_t:s0:c41,c264 /nolabel.sock; -/plain.sock; +/plain.sock;system_u:object_r:svirt_image_t:s0:c41,c264 /yeslabel.sock;system_u:object_r:svirt_image_t:s0:c41,c264 /altlabel.sock;system_u:object_r:svirt_image_custom_t:s0:c41,c264 --=20 2.36.1