From nobody Thu Oct 31 00:25:12 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1722353851902910.6809943132661; Tue, 30 Jul 2024 08:37:31 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id A9E681231; Tue, 30 Jul 2024 11:37:30 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 92C861386; Tue, 30 Jul 2024 11:36:56 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 945E81210; Tue, 30 Jul 2024 11:36:53 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 272F411FF for ; Tue, 30 Jul 2024 11:36:53 -0400 (EDT) Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-441-ZGunxdk8NIaUkZ81SO6FMQ-1; Tue, 30 Jul 2024 11:36:51 -0400 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A30BC1954126 for ; Tue, 30 Jul 2024 15:36:50 +0000 (UTC) Received: from localhost.localdomain (unknown [10.45.242.11]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 391F11955D4C; Tue, 30 Jul 2024 15:36:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722353812; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9pVuyHWIO7wzI6F5M6+nRCygjWNAcLNg+NCNogcbiJY=; b=ZONqgVyp9sj9Fx0m8ie03PwESoNm7xVs7yEUeKOQhfZnNLHPY16QtHufuJdHHe0lnMbt6R FYsB9feuJNRjYpOpVoJT/QXw7KzWUSwoHGILIjNZQ1lzFLiey4UyGrqCyDQ3BTTfLHbhpD 9sisccH0tX7WvkgBbTursN4eGedkfYg= X-MC-Unique: ZGunxdk8NIaUkZ81SO6FMQ-1 From: Michal Privoznik To: devel@lists.libvirt.org Subject: [PATCH v2 2/2] security: Allow RW access to pstore device Date: Tue, 30 Jul 2024 17:36:40 +0200 Message-ID: <6eaf464e43ab8602ca1f5067bfb0675b2f6d2f59.1722353364.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: AAMH44BUK6KG3XOUZXJYY6SIN4Q76RMJ X-Message-ID-Hash: AAMH44BUK6KG3XOUZXJYY6SIN4Q76RMJ X-MailFrom: mprivozn@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: abologna@redhat.com X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1722353853719116600 Content-Type: text/plain; charset="utf-8"; x-default="true" The whole point of pstore device is that the guest writes crash dumps into it. But the way SELinux label is set on the corresponding file warrants RO access only. This is due to a copy-paste from code around: kernel/initrd/DTB/SLIC - these are RO indeed, but pstore MUST be writable too. In a sense it's closer to NVRAM/disks - hence set imagelagel on it. Signed-off-by: Michal Privoznik --- src/security/security_selinux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index ba0ce8fb9d..31df4d22db 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -3341,7 +3341,7 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr, =20 if (def->pstore && virSecuritySELinuxSetFilecon(mgr, def->pstore->path, - data->content_context, true) < 0) + secdef->imagelabel, true) < 0) return -1; =20 return 0; --=20 2.44.2