1. Patchew
  2. Libvirt
  3. [PATCH v2 0/3] security: Don't error out on seclabels of type='none'
  4. View patch

[PATCH v2 3/3] security: Don't error out on seclabels of type='none'

Michal Privoznik via Devel posted 3 patches 9 hours ago
[PATCH v2 3/3] security: Don't error out on seclabels of type='none'
Posted by Michal Privoznik via Devel 9 hours ago 
From: Michal Privoznik <mprivozn@redhat.com>

Ever since of commit v1.2.13-rc1~66 the model attribute of a
<seclabel/> is validated against secdriver names enabled. In
nearly all cases this is something users want so that domain XML
does not claim to set seclabels of a model that's not enabled.
However, consider the following seclabel:

  <seclabel type='none' model='selinux'/>

It tells us to not bother setting selinux labels on given domain.
A mgmt app might format this into domain XML if it sees selinux
is disabled on the host. But if that's the case, selinux driver
is not loaded and this virSecurityManagerCheckModel() doesn't
find it and reports an error.

Well, the error doesn't need to be reported as we will just
ignore selinux as each driver callback checks if relabel is false
(which it is for type='none'). This is true for other secdrivers
too.

Resolves: https://redhat.atlassian.net/browse/RHEL-156689
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/security_manager.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index f2f3bb4f19..bef9863799 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -727,7 +727,8 @@ virSecurityManagerReleaseLabel(virSecurityManager *mgr,
 
 
 static int virSecurityManagerCheckModel(virSecurityManager *mgr,
-                                        char *secmodel)
+                                        char *secmodel,
+                                        bool relabel)
 {
     g_autofree virSecurityManager **sec_managers = NULL;
     size_t i;
@@ -744,6 +745,11 @@ static int virSecurityManagerCheckModel(virSecurityManager *mgr,
         }
     }
 
+    if (relabel == false) {
+        VIR_INFO("Ignoring seclabel with model %s and relabel=no", secmodel);
+        return 0;
+    }
+
     virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
                    _("Security driver model '%1$s' is not available"),
                    secmodel);
@@ -758,8 +764,11 @@ virSecurityManagerCheckDomainLabel(virSecurityManager *mgr,
     size_t i;
 
     for (i = 0; i < def->nseclabels; i++) {
-        if (virSecurityManagerCheckModel(mgr, def->seclabels[i]->model) < 0)
+        if (virSecurityManagerCheckModel(mgr,
+                                         def->seclabels[i]->model,
+                                         def->seclabels[i]->relabel) < 0) {
             return -1;
+        }
     }
 
     return 0;
@@ -773,8 +782,11 @@ virSecurityManagerCheckDiskLabel(virSecurityManager *mgr,
     size_t i;
 
     for (i = 0; i < disk->src->nseclabels; i++) {
-        if (virSecurityManagerCheckModel(mgr, disk->src->seclabels[i]->model) < 0)
+        if (virSecurityManagerCheckModel(mgr,
+                                         disk->src->seclabels[i]->model,
+                                         disk->src->seclabels[i]->relabel) < 0) {
             return -1;
+        }
     }
 
     return 0;
@@ -788,8 +800,11 @@ virSecurityManagerCheckChardevLabel(virSecurityManager *mgr,
     size_t i;
 
     for (i = 0; i < dev->source->nseclabels; i++) {
-        if (virSecurityManagerCheckModel(mgr, dev->source->seclabels[i]->model) < 0)
+        if (virSecurityManagerCheckModel(mgr,
+                                         dev->source->seclabels[i]->model,
+                                         dev->source->seclabels[i]->relabel) < 0) {
             return -1;
+        }
     }
 
     return 0;
-- 
2.52.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.