1. Patchew
  2. Libvirt
  3. [PATCH 0/4] selinux: skip fallback label restore for shared media
  4. View patch

[PATCH 4/4] selinux: Mark anything using content_context as shared

Cole Robinson via Devel posted 4 patches 1 week, 2 days ago
[PATCH 4/4] selinux: Mark anything using content_context as shared
Posted by Cole Robinson via Devel 1 week, 2 days ago 
This marks kernel, initrd, dtb, and similar elements with is_shared,
meaning we skip label restore if xattr label remembering is not
enabled or supported (like on qemu:///session).

non-xattr based label restore is subject to race conditions if
multiple VMs are starting and stopping using shared media:
https://issues.redhat.com/browse/RHEL-126945

This convers every case that is using content_context (virt_content_t)
as SetFileLabel time, which is how we are marking content as
readonly. All the shareable cases (marked with file_context) are
already skipping remembering/label restore entirely.

Signed-off-by: Cole Robinson <crobinso@redhat.com>
---
 src/security/security_selinux.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 898f253256..2f3cc274a5 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2841,7 +2841,7 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDef *def,
         database = dev->data.cert.database;
         if (!database)
             database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
-        return virSecuritySELinuxRestoreFileLabel(mgr, database, true, false);
+        return virSecuritySELinuxRestoreFileLabel(mgr, database, true, true);
 
     case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
         return virSecuritySELinuxRestoreChardevLabel(mgr, def,
@@ -2878,7 +2878,7 @@ virSecuritySELinuxRestoreSysinfoLabel(virSecurityManager *mgr,
         virSysinfoFWCfgDef *f = &def->fw_cfgs[i];
 
         if (f->file &&
-            virSecuritySELinuxRestoreFileLabel(mgr, f->file, true, false) < 0)
+            virSecuritySELinuxRestoreFileLabel(mgr, f->file, true, true) < 0)
             return -1;
     }
 
@@ -2974,23 +2974,23 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
     }
 
     if (def->os.kernel &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, true, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, true, true) < 0)
         rc = -1;
 
     if (def->os.initrd &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, true, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, true, true) < 0)
         rc = -1;
 
     if (def->os.shim &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.shim, true, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.shim, true, true) < 0)
         rc = -1;
 
     if (def->os.dtb &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, true, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, true, true) < 0)
         rc = -1;
 
     for (i = 0; i < def->os.nacpiTables; i++) {
-        if (virSecuritySELinuxRestoreFileLabel(mgr, def->os.acpiTables[i]->path, true, false) < 0)
+        if (virSecuritySELinuxRestoreFileLabel(mgr, def->os.acpiTables[i]->path, true, true) < 0)
             rc = -1;
     }
 
-- 
2.51.1

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.