Bug 1066894
| Summary: | Implement for libvirt guest's xml for security label | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | zhenfeng wang <zhwang> | |
| Component: | libvirt | Assignee: | Michal Privoznik <mprivozn> | |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | |
| Severity: | low | Docs Contact: | ||
| Priority: | low | |||
| Version: | 7.0 | CC: | ajia, dyuan, gsun, juzhou, mzhan, pkrempa, rbalakri, ydu | |
| Target Milestone: | rc | Keywords: | Upstream | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | libvirt-1.2.7-1.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1066895 (view as bug list) | Environment: | ||
| Last Closed: | 2015-03-05 07:30:28 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1066895 | |||
Patch proposed upstream: https://www.redhat.com/archives/libvir-list/2014-July/msg00526.html So I've just pushed the patch upstream:
commit d1abf819cf1b2fda893c029344de77d5b6cc5ba9
Author: Michal Privoznik <mprivozn>
AuthorDate: Wed Jul 9 15:15:27 2014 +0200
Commit: Michal Privoznik <mprivozn>
CommitDate: Fri Jul 11 10:36:08 2014 +0200
conf: Don't allow multiple seclabels for same model
https://bugzilla.redhat.com/show_bug.cgi?id=1066894
With current code it's possible to have for instance:
virsh dumpxml mydomain | grep seclabel
<seclabel type='dynamic' model='selinux' relabel='yes'/>
<seclabel type='dynamic' model='selinux' relabel='yes'/>
<seclabel type='dynamic' model='selinux' relabel='yes'/>
<seclabel type='dynamic' model='selinux' relabel='yes'/>
<seclabel type='dynamic' model='selinux' relabel='yes'/>
what doesn't make any sense. We should reject the XML in the config
parsing phase.
Signed-off-by: Michal Privoznik <mprivozn>
v1.2.6-123-gd1abf81
I could reproduce this issue with libvirt-1.1.1-23.el7.x86_64 as following steps:
1.Prepare a normal guest
# virsh list --all
Id Name State
----------------------------------------------------
- rhel6 shut off
2.Edit the guest's xml, Add 5 or more same security label, save the guest's xml,
it didn't report error while edit the guest's xml, also it generate many same
seclabel in the guest's xml , i think we can do some implement for this issue
#virsh edit rhel6
--
<seclabel type='dynamic' model='selinux'/>
<seclabel type='dynamic' model='selinux'/>
<seclabel type='dynamic' model='selinux'/>
<seclabel type='dynamic' model='selinux'/>
<seclabel type='dynamic' model='selinux'/>
--
#virsh dumpxml rhel6 | grep seclabel
<seclabel type='dynamic' model='selinux' relabel='yes'/>
<seclabel type='dynamic' model='selinux' relabel='yes'/>
<seclabel type='dynamic' model='selinux' relabel='yes'/>
<seclabel type='dynamic' model='selinux' relabel='yes'/>
<seclabel type='dynamic' model='selinux' relabel='yes'/>
3.Start the guest, check the guest's xml, we can see only one seclabel work,
other seclabel didn't work
#virsh start rhel6
# virsh dumpxml rhel6 |grep seclabel -A 3
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>system_u:system_r:svirt_t:s0:c12,c756</label>
<imagelabel>system_u:object_r:svirt_image_t:s0:c12,c756</imagelabel>
</seclabel>
<seclabel type='dynamic' model='selinux' relabel='yes'/>
<seclabel type='dynamic' model='selinux' relabel='yes'/>
<seclabel type='dynamic' model='selinux' relabel='yes'/>
<seclabel type='dynamic' model='selinux' relabel='yes'/>
Verified this with libvirt-1.2.7-1.el7.x86_64:
1.Prepare a normal guest
# virsh list --all
Id Name State
----------------------------------------------------
- rhel6 shut off
2.Edit the guest's xml, Add 5 or more same security label, save the guest's xml,
it will report error while edit the guest's xml to prevent this change:
#virsh edit rhel6
--
<seclabel type='dynamic' model='selinux'/>
<seclabel type='dynamic' model='selinux'/>
<seclabel type='dynamic' model='selinux'/>
<seclabel type='dynamic' model='selinux'/>
<seclabel type='dynamic' model='selinux'/>
--
error: seclablel for model selinux is already provided
Failed. Try again? [y,n,f,?]:
Only one instance for seclabel is allowed to save.
(In reply to zhengqin from comment #6) > > Only one instance for seclabel is allowed to save. Awesome, that's expected behavior. Verify this bug with libvirt-1.2.8-8.el7.x86_64 steps 1.Prepare a normal guest # virsh list --all Id Name State ---------------------------------------------------- - rhel7.0 shut off 2.Edit the guest's xml, Add 2 or more same security label, save the guest's xml, it will report error while edit the guest's xml to prevent this change: #virsh edit rhel7.0 -- <seclabel type='dynamic' model='selinux'/> <seclabel type='dynamic' model='selinux'/> -- error: seclablel for model selinux is already provided Failed. Try again? [y,n,f,?]: Only one instance for seclabel is allowed to save. 3.add multi-seclabel with different model,which could be saved successfully <seclabel type='dynamic' model='selinux'/> <seclabel type='dynamic' model='dac' relabel='yes'/> <seclabel type='dynamic' model='abc' relabel='yes'/> According to the upper steps, mark this bug verifed Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0323.html |
Description of problem: Implement for libvirt guest's xml that it should report error or left only one uniqure security label while there have two or more same Security label in the guest's xml Version-Release number of selected component (if applicable): kernel-3.10.0-88.el7.x86_64 qemu-kvm-rhev-1.5.3-47.el7.x86_64 libvirt-1.1.1-23.el7.x86_64 libselinux-2.2.2-6.el7.x86_64 selinux-policy-3.12.1-125.el7.noarch How reproducible: 100% Steps 1.Prepare a normal guest # virsh list --all Id Name State ---------------------------------------------------- - rhel75 shut off 2.Edit the guest's xml, Add 5 or more same security label, save the guest's xml, it didn't report error while edit the guest's xml, also it generate many same seclabel in the guest's xml , i think we can do some implement for this issue #virsh edit rhel75 -- <seclabel type='dynamic' model='selinux'/> <seclabel type='dynamic' model='selinux'/> <seclabel type='dynamic' model='selinux'/> <seclabel type='dynamic' model='selinux'/> <seclabel type='dynamic' model='selinux'/> -- #virsh dumpxml rhel75|grep seclabel <seclabel type='dynamic' model='selinux' relabel='yes'/> <seclabel type='dynamic' model='selinux' relabel='yes'/> <seclabel type='dynamic' model='selinux' relabel='yes'/> <seclabel type='dynamic' model='selinux' relabel='yes'/> <seclabel type='dynamic' model='selinux' relabel='yes'/> 3.Start the guest, check the guest's xml, we can see only one seclabel work, other seclabel didn't work #virsh start rhel75 # virsh dumpxml rhel75 |grep seclabel -A 3 <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c12,c756</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c12,c756</imagelabel> </seclabel> <seclabel type='dynamic' model='selinux' relabel='yes'/> <seclabel type='dynamic' model='selinux' relabel='yes'/> <seclabel type='dynamic' model='selinux' relabel='yes'/> <seclabel type='dynamic' model='selinux' relabel='yes'/> Actual results: As step 2 Expected results: As Description