Bug 1634775
| Summary: | libvirt creating qemu channels with the wrong permissions | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Ján Tomko <jtomko> |
| Component: | libvirt | Assignee: | Ján Tomko <jtomko> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | jiyan <jiyan> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.0 | CC: | jdenemar, jiyan, xuzhang |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-4.5.0-10.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1633389 | Environment: | |
| Last Closed: | 2019-06-14 01:31:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1633389 | ||
| Bug Blocks: | |||
|
Description
Ján Tomko
2018-10-01 15:17:34 UTC
Fixed upstream by:
commit d6b8838dd83697f721fe0706068df765148154de
Author: Ján Tomko <jtomko>
CommitDate: 2018-10-02 12:44:44 +0200
security: dac: also label listen UNIX sockets
We switched to opening mode='bind' sockets ourselves:
commit 30fb2276d88b275dc2aad6ddd28c100d944b59a5
qemu: support passing pre-opened UNIX socket listen FD
in v4.5.0-rc1~251
Then fixed qemuBuildChrChardevStr to change libvirtd's label
while creating the socket:
commit b0c6300fc42bbc3e5eb0b236392f7344581c5810
qemu: ensure FDs passed to QEMU for chardevs have correct SELinux labels
v4.5.0-rc1~52
Also add labeling of these sockets to the DAC driver.
Instead of duplicating the logic which decides whether libvirt should
pre-create the socket, assume an existing path meaning that it was created
by libvirt.
https://bugzilla.redhat.com/show_bug.cgi?id=1633389
Signed-off-by: Ján Tomko <jtomko>
Reviewed-by: Erik Skultety <eskultet>
git describe: v4.8.0-19-gd6b8838dd8
# rpm -qa libvirt qemu-kvm-rhev kernel
libvirt-4.5.0-10.el8+1962+60f3e94c.x86_64
qemu-kvm-2.12.0-33.el8+1962+60f3e94c.x86_64
kernel-4.18.0-23.el8.x86_64
Steps:
1. Prepare a shutdown VM with the following configuration and then start the VM
# virsh domstate test1
shut off
# virsh dumpxml test1 |grep "<serial" -A5
<serial type='unix'>
<source mode='bind' path='/tmp/foo'/>
<target type='isa-serial' port='1'>
<model name='isa-serial'/>
</target>
</serial>
# virsh dumpxml test1 |grep "<channel" -A5
<channel type='unix'>
<target type='virtio' name='com.redhat.rhevm.vdsm'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
# virsh start test1
Domain test1 started
# virsh dumpxml test1 |grep "<serial" -A7
<serial type='unix'>
<source mode='bind' path='/tmp/foo'/>
<target type='isa-serial' port='1'>
<model name='isa-serial'/>
</target>
<alias name='serial0'/>
</serial>
# virsh dumpxml test1 |grep "<channel" -A5
<channel type='unix'>
<source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-6-test1/com.redhat.rhevm.vdsm'/>
<target type='virtio' name='com.redhat.rhevm.vdsm' state='disconnected'/>
<alias name='channel0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
2. Check the qemu cmd line
# ps -ef |grep "test1" |sed 's/-device/\n-device/g'
-chardev socket,id=charserial0,fd=33,server,nowait
-device isa-serial,chardev=charserial0,id=serial0
-chardev socket,id=charchannel0,fd=34,server,nowait
-device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.rhevm.vdsm
3. Check the "uid:gid" of the related files
# ll -alZ /tmp/foo
srwxrwxr-x. 1 qemu qemu system_u:object_r:tmp_t:s0 0 Oct 12 02:08 /tmp/foo
# ll -alZ /var/lib/libvirt/qemu/channel/target/domain-6-test1/com.redhat.rhevm.vdsm
srwxrwxr-x. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c144,c1018 0 Oct 12 02:08 /var/lib/libvirt/qemu/channel/target/domain-6-test1/com.redhat.rhevm.vdsm
|