From nobody Sat May 4 23:18:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1634555654; cv=none; d=zohomail.com; s=zohoarc; b=dxFSuQ5ra6inl/qvi6bEznPRTLlhSJ9l6ghqB+v9ROqIE2AxvTB0KqdHA34EpoZs5x/haR16VCDM2GBJpZeBAFxusHCPYydvP/2eqE2802PmX9NA7+V8PdraCS48h9qs5R5GRPTWWc1sr6sY5UL71WZkgVam2EUkPOUY+cIfMUU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1634555654; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=sj+T/mp+HX+YVjRs3gY6pYcWswbJW32Z7LzqN0FgRh0=; b=mYKqFNmLC4mYBBR5rvTeuG4AsT8XpT7hHXGk72GYYNYtNANGRM9o/i8MkQHIxjalJKVwQG82JZMVnF8KYyg0hWrcIDVgnZJhf9rmHi5QuPxiLg3wgwFzrr8xlF3zLen6IE27zF1up32bmALD4oAHFhBkycx7Dyu0sjQ+10IliJQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1634555654640966.215947775782; Mon, 18 Oct 2021 04:14:14 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-122-s1VCuy0TObWUl7Zc0x-ihw-1; Mon, 18 Oct 2021 07:14:11 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 201A380A5C1; Mon, 18 Oct 2021 11:14:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CA502ADD8; Mon, 18 Oct 2021 11:14:06 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E62221806D03; Mon, 18 Oct 2021 11:14:03 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19IBE2pS006449 for ; Mon, 18 Oct 2021 07:14:02 -0400 Received: by smtp.corp.redhat.com (Postfix) id DC0DD707B6; Mon, 18 Oct 2021 11:14:01 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.194.131]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4D395708E0 for ; Mon, 18 Oct 2021 11:14:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1634555653; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=sj+T/mp+HX+YVjRs3gY6pYcWswbJW32Z7LzqN0FgRh0=; b=Zn3Ix3ggQMaZ2+P5k+AY7yVT7BnU24CoE/DGVc5TCG+4K1mTgONQEStQCxSeJ/LyJHJ/UI 0l6NebBaBIW7bxVlIAF3wjvhQHtulKfN03heiM4l/Yf3lxF5AZiMAmaooDgqlRasEMQ5Fe ZQMcY2PyKd9fXH2LPwz6hRVGIaKCpqk= X-MC-Unique: s1VCuy0TObWUl7Zc0x-ihw-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH v2 1/2] selinux: Swap two blocks handling setfilecon_raw() failure Date: Mon, 18 Oct 2021 13:13:52 +0200 Message-Id: <6c57aa8b7de41a4c9964e09cfba66b25704e10fa.1634555595.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1634555656858100002 Content-Type: text/plain; charset="utf-8" In virSecuritySELinuxSetFileconImpl() we have code that handles setfilecon_raw() failure. The code consists of two blocks: one for dealing with shared filesystem like NFS (errno is ENOTSUP or EROFS) and the other block that's dealing with EPERM for privileged daemon. Well, the order of these two blocks is a bit confusing because the comment above them mentions the NFS case but EPERM block follows. Swap these two blocks to make it less confusing. Signed-off-by: Michal Privoznik --- src/security/security_selinux.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 622a8f4c02..39c10cbe8f 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1264,22 +1264,9 @@ virSecuritySELinuxSetFileconImpl(const char *path, * boolean tunables to allow it ... */ VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR - if (setfilecon_errno !=3D EOPNOTSUPP && setfilecon_errno !=3D ENOT= SUP && - setfilecon_errno !=3D EROFS) { + if (setfilecon_errno =3D=3D EOPNOTSUPP || setfilecon_errno =3D=3D = ENOTSUP || + setfilecon_errno =3D=3D EROFS) { VIR_WARNINGS_RESET - /* However, don't claim error if SELinux is in Enforcing mode = and - * we are running as unprivileged user and we really did see E= PERM. - * Otherwise we want to return error if SELinux is Enforcing. = */ - if (security_getenforce() =3D=3D 1 && - (setfilecon_errno !=3D EPERM || privileged)) { - virReportSystemError(setfilecon_errno, - _("unable to set security context '%s= ' on '%s'"), - tcon, path); - return -1; - } - VIR_WARN("unable to set security context '%s' on '%s' (errno %= d)", - tcon, path, setfilecon_errno); - } else { const char *msg; if (virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS) =3D=3D 1 && security_get_boolean_active("virt_use_nfs") !=3D 1) { @@ -1293,6 +1280,19 @@ virSecuritySELinuxSetFileconImpl(const char *path, VIR_INFO("Setting security context '%s' on '%s' not suppor= ted", tcon, path); } + } else { + /* However, don't claim error if SELinux is in Enforcing mode = and + * we are running as unprivileged user and we really did see E= PERM. + * Otherwise we want to return error if SELinux is Enforcing. = */ + if (security_getenforce() =3D=3D 1 && + (setfilecon_errno !=3D EPERM || privileged)) { + virReportSystemError(setfilecon_errno, + _("unable to set security context '%s= ' on '%s'"), + tcon, path); + return -1; + } + VIR_WARN("unable to set security context '%s' on '%s' (errno %= d)", + tcon, path, setfilecon_errno); } =20 return 1; --=20 2.32.0 From nobody Sat May 4 23:18:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1634555654; cv=none; d=zohomail.com; s=zohoarc; b=FnjY4ojJZnP+AwBIMamYsJJUyRQeWRC5jSxgFt8DsCXthrEPcadG0jMLYokQfcZI7tbsoe5tjKPOeL6n8ywAkRyKC9l5NwYYUWM0ApQSwIT6a0UeXP3hLfxfbTRWC+/QycPmnhzNolTQwLNyBu0SgIZabtH9emx1wSRD4Wfsuyk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1634555654; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=jPJgJPoN9lSQLrkakQTBHlHb/1ZY4cRE2KxI6VZwgMw=; b=cJBjbBuIMKowzdFtINZmuu1fkDXx1svgDOhp+Yg7rtL5g1iHIQeX0v73WiZJPkSLYgiT0pDnKXwYHuSIE/keMb8+4yDh3eCcZwiqJ+K3Jj1GOiDV/5YiBBV7SpNnnSwFKrUxa328GOdWRJPgJklbhqNa0khKCKiHIRvXnUUJoAU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1634555654986162.57410522789053; Mon, 18 Oct 2021 04:14:14 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-437-ODaIf2ceO3OBisnMA1-lAg-1; Mon, 18 Oct 2021 07:14:11 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E180A1018720; Mon, 18 Oct 2021 11:14:06 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9E05B5DF35; Mon, 18 Oct 2021 11:14:06 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id F03F74A703; Mon, 18 Oct 2021 11:14:03 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19IBE2kk006457 for ; Mon, 18 Oct 2021 07:14:02 -0400 Received: by smtp.corp.redhat.com (Postfix) id D28D87092D; Mon, 18 Oct 2021 11:14:02 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.194.131]) by smtp.corp.redhat.com (Postfix) with ESMTP id 43580707B6 for ; Mon, 18 Oct 2021 11:14:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1634555653; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=jPJgJPoN9lSQLrkakQTBHlHb/1ZY4cRE2KxI6VZwgMw=; b=OumQfLMCJw9rTdwOuUHv6jB5nPiff4TNnRh+j5VQYXAzEKF0NZq17MsrKA5jYHTxUra//v uEA2BYwGZDmu1cUGmdQnT98yELhrcicUWlzYsmiZNtQwN+/8/poLTGONiL28kE0gZcRpQL Mml05u09f/nV5CBkTn2hVjikU9KlSis= X-MC-Unique: ODaIf2ceO3OBisnMA1-lAg-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH v2 2/2] selinux: Don't ignore ENOENT in Permissive mode Date: Mon, 18 Oct 2021 13:13:53 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1634555656854100001 Content-Type: text/plain; charset="utf-8" In selinux driver there's virSecuritySELinuxSetFileconImpl() which is responsible for actual setting of SELinux label on given file and handling possible failures. In fhe failure handling code we decide whether failure is fatal or not. But there is a bug: depending on SELinux mode (Permissive vs. Enforcing) the ENOENT is either ignored or considered fatal. This not correct - ENOENT must always be fatal for couple of reasons: - In virSecurityStackTransactionCommit() the seclabels are set for individual secdrivers (e.g. SELinux first and then DAC), but if one secdriver succeeds and another one fails, then no rollback is performed for the successful one leaking remembered labels. - QEMU would fail opening the file anyways (if neither of secdrivers reported error and thus cancelled domain startup) Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D2004850 Signed-off-by: Michal Privoznik --- src/security/security_selinux.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 39c10cbe8f..a3b5fa7546 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1283,9 +1283,11 @@ virSecuritySELinuxSetFileconImpl(const char *path, } else { /* However, don't claim error if SELinux is in Enforcing mode = and * we are running as unprivileged user and we really did see E= PERM. - * Otherwise we want to return error if SELinux is Enforcing. = */ - if (security_getenforce() =3D=3D 1 && - (setfilecon_errno !=3D EPERM || privileged)) { + * Otherwise we want to return error if SELinux is Enforcing, = or we + * saw EPERM regardless of SELinux mode. */ + if (setfilecon_errno =3D=3D ENOENT || + (security_getenforce() =3D=3D 1 && + (setfilecon_errno !=3D EPERM || privileged))) { virReportSystemError(setfilecon_errno, _("unable to set security context '%s= ' on '%s'"), tcon, path); --=20 2.32.0