From nobody Mon May 6 07:51:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1676647300; cv=none; d=zohomail.com; s=zohoarc; b=naPvDzzEzP9kpzyv4N38MIcvLj/kX95khh5XkKt6pB47FpIpyPaKB3GJIDEQn3xmBqvTyO2YsPfCneNdIda2yt/RWzKfG048pG8N2t1UTFg8Fxo2G8MkDe2O1vvHkovELvBd07dU1yeZgFb4p0daoNj8C8Hr40IZBKrIOOk/z+I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676647300; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=B/ezWwhLi8OOn6mHgP/ydrJMmFojrC+TNoJd2h0zDnQ=; b=lsiiN8LRzt8kCuJ9/LjOn6q1tlveRE12O5MJOxcQEqTBedAjAtxdCUlh0WUR9crkta8HopeABW0u59bFMgtCITjsQmMGNadpE+aUazay28nDhFd4cE7HBLwEMCHE1N2gLUdslG3tNn1VyNqkF710BihlstKyjJ2fzFHMbOncjqU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1676647300212228.78306064305536; Fri, 17 Feb 2023 07:21:40 -0800 (PST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-178-JR8r5CidNjipVQUkXbjBaA-1; Fri, 17 Feb 2023 10:21:35 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id ADF47800D97; Fri, 17 Feb 2023 15:21:32 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9BCBF2166B30; Fri, 17 Feb 2023 15:21:32 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 8A4C21946589; Fri, 17 Feb 2023 15:21:32 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 8D23319465B5 for ; Fri, 17 Feb 2023 15:21:31 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 7FD692026D68; Fri, 17 Feb 2023 15:21:31 +0000 (UTC) Received: from localhost.localdomain (ovpn-193-202.brq.redhat.com [10.40.193.202]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1180E2026D4B for ; Fri, 17 Feb 2023 15:21:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1676647299; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=B/ezWwhLi8OOn6mHgP/ydrJMmFojrC+TNoJd2h0zDnQ=; b=MwXLV4qaRAqopEtKM5JxV28AjjRTbH8/Rr0hR1UeLYgGbyxwP+Jc4GcTsFB39tmc1HPv2v wmRPj6PA5kn2qxfY1jOgXjhZrzqUFcPpSjz5q6ZKg0TjfKOimcCmycMVwWQAkwj0AXty+R vFScYaLIytHjxX8IVZprH3Wder5VM+4= X-MC-Unique: JR8r5CidNjipVQUkXbjBaA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH v2 1/2] selinux: Swap two blocks handling setfilecon_raw() failure Date: Fri, 17 Feb 2023 16:21:27 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1676647301719100003 Content-Type: text/plain; charset="utf-8"; x-default="true" In virSecuritySELinuxSetFileconImpl() we have code that handles setfilecon_raw() failure. The code consists of two blocks: one for dealing with shared filesystem like NFS (errno is ENOTSUP or EROFS) and the other block that's dealing with EPERM for privileged daemon. Well, the order of these two blocks is a bit confusing because the comment above them mentions the NFS case but EPERM block follows. Swap these two blocks to make it less confusing. Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/security/security_selinux.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 4d4a1705e6..e9c4051a98 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1261,22 +1261,9 @@ virSecuritySELinuxSetFileconImpl(const char *path, * boolean tunables to allow it ... */ VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR - if (setfilecon_errno !=3D EOPNOTSUPP && setfilecon_errno !=3D ENOT= SUP && - setfilecon_errno !=3D EROFS) { + if (setfilecon_errno =3D=3D EOPNOTSUPP || setfilecon_errno =3D=3D = ENOTSUP || + setfilecon_errno =3D=3D EROFS) { VIR_WARNINGS_RESET - /* However, don't claim error if SELinux is in Enforcing mode = and - * we are running as unprivileged user and we really did see E= PERM. - * Otherwise we want to return error if SELinux is Enforcing. = */ - if (security_getenforce() =3D=3D 1 && - (setfilecon_errno !=3D EPERM || privileged)) { - virReportSystemError(setfilecon_errno, - _("unable to set security context '%s= ' on '%s'"), - tcon, path); - return -1; - } - VIR_WARN("unable to set security context '%s' on '%s' (errno %= d)", - tcon, path, setfilecon_errno); - } else { const char *msg; if (virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS) =3D=3D 1 && security_get_boolean_active("virt_use_nfs") !=3D 1) { @@ -1290,6 +1277,19 @@ virSecuritySELinuxSetFileconImpl(const char *path, VIR_INFO("Setting security context '%s' on '%s' not suppor= ted", tcon, path); } + } else { + /* However, don't claim error if SELinux is in Enforcing mode = and + * we are running as unprivileged user and we really did see E= PERM. + * Otherwise we want to return error if SELinux is Enforcing. = */ + if (security_getenforce() =3D=3D 1 && + (setfilecon_errno !=3D EPERM || privileged)) { + virReportSystemError(setfilecon_errno, + _("unable to set security context '%s= ' on '%s'"), + tcon, path); + return -1; + } + VIR_WARN("unable to set security context '%s' on '%s' (errno %= d)", + tcon, path, setfilecon_errno); } =20 return 1; --=20 2.39.1 From nobody Mon May 6 07:51:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1676647299; cv=none; d=zohomail.com; s=zohoarc; b=bWB1+U7eYd/acUrs1RgT3Gi1BzBmlxa72kwdujwXV0qpU6bHyg4IDW5b7USSfDBvn8sLp9wf/vfSmh0ULWhmP+xZ3OK/6baJz3F36R7GLkUtfqQANHjdhxSWOfHFla1untblgwUC8r1tJ2WXqjN5q3IR3nuSjNenjqSSAwX4x9w= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676647299; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=nWneMlvlG6YVUcMqXKooyTFMTQ1OIP3ZM9dgSaRILPI=; b=AOtSxQTFKbt53HDeV5s4YcwoIT5Zwt4zP3N+tUY5/B4s5zEcj52lXa7PPy8PIg1ah+F2aNy9gGUBNbmvhV3+YHBPFiKEkBhvYL+aDqnLtOjqZOehfseM2jJcBiZoDNFPaUICXI6DPaOCMSISKdiFHbJfbvbqYjKQK2z+MOFhgj8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1676647298999381.94629461669945; Fri, 17 Feb 2023 07:21:38 -0800 (PST) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-502-YtoZ-VJNOWCXOu5tFfk0hg-1; Fri, 17 Feb 2023 10:21:36 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 70FF21C426B9; Fri, 17 Feb 2023 15:21:33 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 563A11121314; Fri, 17 Feb 2023 15:21:33 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 450EA1946589; Fri, 17 Feb 2023 15:21:33 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 67F9C1946588 for ; Fri, 17 Feb 2023 15:21:32 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 4C60F2026D68; Fri, 17 Feb 2023 15:21:32 +0000 (UTC) Received: from localhost.localdomain (ovpn-193-202.brq.redhat.com [10.40.193.202]) by smtp.corp.redhat.com (Postfix) with ESMTP id C045B2026D4B for ; Fri, 17 Feb 2023 15:21:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1676647298; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=nWneMlvlG6YVUcMqXKooyTFMTQ1OIP3ZM9dgSaRILPI=; b=Z53fCE1zH6aG1oiWamHoApAlYDAAg0a/zSXJVyQedgKb/yrTLVFr1NA37gulABkZLT1a1n wu/KZJK9UZM1Cszh5Mmy0glXtVYpfTJccgKYACKWUyyYvCJRrW12FAdc2iHBMweL5nrFbw 40l3T6IIiCiT5EiBNJq4YWlRgabYuj4= X-MC-Unique: YtoZ-VJNOWCXOu5tFfk0hg-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH v2 2/2] selinux: Don't ignore ENOENT in Permissive mode Date: Fri, 17 Feb 2023 16:21:28 +0100 Message-Id: <2669ef98ad8fb6a586034e51556de487b164094d.1676647236.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1676647299711100001 Content-Type: text/plain; charset="utf-8"; x-default="true" In selinux driver there's virSecuritySELinuxSetFileconImpl() which is responsible for actual setting of SELinux label on given file and handling possible failures. In fhe failure handling code we decide whether failure is fatal or not. But there is a bug: depending on SELinux mode (Permissive vs. Enforcing) the ENOENT is either ignored or considered fatal. This not correct - ENOENT must always be fatal for couple of reasons: - In virSecurityStackTransactionCommit() the seclabels are set for individual secdrivers (e.g. SELinux first and then DAC), but if one secdriver succeeds and another one fails, then no rollback is performed for the successful one leaking remembered labels. - QEMU would fail opening the file anyways (if neither of secdrivers reported error and thus cancelled domain startup) Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D2004850 Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/security/security_selinux.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index e9c4051a98..2e9efa78f4 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1280,9 +1280,11 @@ virSecuritySELinuxSetFileconImpl(const char *path, } else { /* However, don't claim error if SELinux is in Enforcing mode = and * we are running as unprivileged user and we really did see E= PERM. - * Otherwise we want to return error if SELinux is Enforcing. = */ - if (security_getenforce() =3D=3D 1 && - (setfilecon_errno !=3D EPERM || privileged)) { + * Otherwise we want to return error if SELinux is Enforcing, = or we + * saw EPERM regardless of SELinux mode. */ + if (setfilecon_errno =3D=3D ENOENT || + (security_getenforce() =3D=3D 1 && + (setfilecon_errno !=3D EPERM || privileged))) { virReportSystemError(setfilecon_errno, _("unable to set security context '%s= ' on '%s'"), tcon, path); --=20 2.39.1