Bug 1165485

Summary: libvirt should should add a check for disk seclabel model settings
Product: Red Hat Enterprise Linux 7 Reporter: Luyao Huang <lhuang>
Component: libvirtAssignee: Erik Skultety <eskultet>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: dyuan, eskultet, madko, mzhan, rbalakri, zhwang
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-1.2.13-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 05:56:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luyao Huang 2014-11-19 03:55:22 UTC 
Description of problem:
libvirt should should add a check for seclabel model settings in disk

Version-Release number of selected component (if applicable):

libvirt-1.2.8-7.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
S1:
1. # virsh dumpxml test5|grep -3 aa
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='/var/lib/libvirt/images/r6.img'>
        <seclabel model='aaa' relabel='yes'>
          <label>1234567890</label>
        </seclabel>
      </source>

2.# getenforce 
Enforcing

3.# virsh start test5
Domain test5 started

4.guest start normal can see this config in guest xml and no warning no error in log

# virsh dumpxml test5|grep -3 aa
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='/var/lib/libvirt/images/r6.img'>
        <seclabel model='aaa' relabel='yes'>
          <label>1234567890</label>
        </seclabel>
      </source>

S2:

1.prepare a guest have 3 seclabel in xml
<disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='/var/lib/libvirt/images/r6.img'>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c555,c968</label>
        </seclabel>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c5,c968</label>
        </seclabel>
        <seclabel model='selinux' relabel='yes'>
          <label>1234567</label>
        </seclabel>
      </source>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>

2.# virsh start test5
Domain test5 started

3.# virsh dumpxml test5

    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='/var/lib/libvirt/images/r6.img'>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c555,c968</label>
        </seclabel>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c5,c968</label>
        </seclabel>
        <seclabel model='selinux' relabel='yes'>
          <label>1234567</label>
        </seclabel>
      </source>
      <backingStore/>
      <target dev='hda' bus='ide'/>
      <alias name='ide0-0-0'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>


Actual results:
S1: libvirt ignore the config set when start vm but we can see it via dumpxml 
S2: libvirt only check the first valid selinux image label

Expected results:
S1: report error when try to edit a invalid seclabel model or when start it
S2: forbid several disk seclabel settings

Additional info:

If libvirt want ignore it when start the guest, should give a error or warning in libvirtd.log.
Comment 1 Erik Skultety 2015-02-19 12:32:14 UTC 
Fixed upstream:
    S1:
    commit c3d9d3bbc99b6694b713f6de4198e285ba944f03
    Author: Erik Skultety <eskultet>
    Date:   Thu Feb 12 18:32:40 2015 +0100

    security: introduce virSecurityManagerCheckAllLabel function
    
    We do have a check for valid per-domain security model, however we still
    do permit an invalid security model for a domain's device (those which
    are specified with <source> element).
    This patch introduces a new function virSecurityManagerCheckAllLabel
    which compares user specified security model against currently
    registered security drivers. That being said, it also permits 'none'
    being specified as a device security model.
    
    v1.2.12-133-gc3d9d3b
================================================================================
    S2:
    commit 357f0072caac4d9a0bf887393e01007ffd8297f1
    Author: Erik Skultety <eskultet>
    Date:   Tue Feb 10 17:17:35 2015 +0100

    conf: forbid seclabel duplicates for domain devices
    
    Parser checks for per-domain seclabel duplicates, so it would be nice if
    it checked for per-device seclabel duplicates the same way

    v1.2.12-106-g357f007
Comment 4 zhenfeng wang 2015-05-05 10:00:01 UTC 
Verify this bug with libvirt-1.2.15-1.el7.x86_64
s1
1.Prepare a guest with an invalid seclabel model
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/rhel7.img'>
        <seclabel model='aaa' relabel='yes'>
          <label>1234567890</label>
        </seclabel>
      </source>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>

2.Start guest, the guest will fail to start and report an expect error
# virsh start rhel7
error: Failed to start domain rhel7
error: unsupported configuration: Unable to find security driver for model aaa

s2
1.prepare a guest have 3 same seclabel in xml
#virsh edit rhel7
--
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/rhel7.img'>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c555,c968</label>
        </seclabel>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c5,c968</label>
        </seclabel>
        <seclabel model='selinux' relabel='yes'>
          <label>1234567</label>
        </seclabel>
      </source>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>


2.Save the guest's xml, will fail to save the guest's xml and get an expect 
:wq
error: seclabel for model selinux is already provided
Failed. Try again? [y,n,i,f,?]:

s3
1.Set multi different label for the guest
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/rhel7.img'>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c555,c968</label>
        </seclabel>
        <seclabel model='dac' relabel='yes'>
          <label>qemu:root</label>
        </seclabel>
        <seclabel model='none' relabel='yes'>
          <label>test1:test1</label>
        </seclabel>
      </source>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
</device>
  <seclabel type='static' model='selinux' relabel='yes'>
    <label>system_u:system_r:svirt_t:s0:c555,c968</label>
  </seclabel>

2.Start the guest, the guest start successfully
#virsh start rhel7

# ps -efZ|grep qemu
system_u:system_r:svirt_t:s0:c555,c968 qemu 20530  1 99 17:17 ?        00:00:21 /usr/libexec/qemu-kvm -name rhel7 


According to the upper steps, mark this bug verifed
Comment 6 errata-xmlrpc 2015-11-19 05:56:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html