Bug 2160356
| Summary: | Libvirt should not allow to add device selinux label without label string when relabel="yes" | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Han Han <hhan> | ||||
| Component: | libvirt | Assignee: | Michal Privoznik <mprivozn> | ||||
| libvirt sub component: | General | QA Contact: | zhentang <zhetang> | ||||
| Status: | CLOSED ERRATA | Docs Contact: | |||||
| Severity: | low | ||||||
| Priority: | low | CC: | dzheng, fqi, hshuai, jdenemar, lmen, mprivozn, virt-maint, yafu, yalzhang | ||||
| Version: | 9.2 | Keywords: | AutomationTriaged, Triaged, Upstream | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | libvirt-9.5.0-0rc1.1.el9 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 2209225 (view as bug list) | Environment: | |||||
| Last Closed: | 2023-11-07 08:30:47 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | 9.5.0 | ||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 2209225 | ||||||
| Attachments: |
|
||||||
|
Description
Han Han
2023-01-12 07:06:13 UTC
There's a lot of historical baggage around parsing of <seclabel/>-s so we must be careful to not break existing applications. Patch proposed on the list: https://listman.redhat.com/archives/libvir-list/2023-May/240090.html Merged upstream as:
commit a36318be9d6fec1be3bd2bafefff0849e6b9e13a
Author: Michal Prívozník <mprivozn>
AuthorDate: Thu May 25 15:43:56 2023 +0200
Commit: Michal Prívozník <mprivozn>
CommitDate: Thu Jun 1 13:53:09 2023 +0200
conf: Reject invalid device's <seclabel relabel='yes'/> with no <label/>
We allow (some) domain devices to have a different <seclabel/>
than the top level domain one (this is mostly to allow access to
a resource for multiple domains). Now, we do couple of sanity
checks for such <seclabel/>, e.g. when the <label/> is specified,
but '@relabel' is set to no. But what we are missing is the
opposite: when '@relabel' is set, but no <label/> was provided.
Our schema already denies such combination. Make our parser
behave the same.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2160356
Signed-off-by: Michal Privoznik <mprivozn>
Reviewed-by: Ján Tomko <jtomko>
v9.4.0-2-ga36318be9d
Tested on libvirt-9.5.0-0rc1.1.el9.x86_64
1. hotplug a device with seclabel model 'selinux' and relabel='yes' without label string , failed with clear error message
[root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml
<serial type='unix'>
<source mode='bind' path='/tmp/test1.sock'>
<seclabel model='selinux' relabel='yes'>
</seclabel>
</source>
<target type='pci-serial' port='1'/>
</serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 seclabel.plug.xml
error: Failed to attach device from seclabel.plug.xml
error: XML error: Cannot specify relabel if label is missing. model=selinux
2. hotplug a device with seclabel model 'dac' and relabel='yes' without label string , failed with clear error message
[root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml
<serial type='unix'>
<source mode='bind' path='/tmp/test1.sock'>
<seclabel model='dac' relabel='yes'>
</seclabel>
</source>
<target type='pci-serial' port='1'/>
</serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 dac_hotplug.xml
error: Failed to attach device from dac_hotplug.xml
error: XML error: Cannot specify relabel if label is missing. model=dac
3.hotplug a device with selinux label string , attached successfully
[root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml
<serial type='unix'>
<source mode='bind' path='/tmp/test1.sock'>
<seclabel model='selinux' relabel='yes'>
<label>system_u:object_r:svirt_image_t:s0</label>
</seclabel>
</source>
<target type='pci-serial' port='1'/>
</serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 seclabel.plug.xml
Device attached successfully
[root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial
<serial type="unix">
<source mode="bind" path="/tmp/test1.sock">
<seclabel model="selinux" relabel="yes">
<label>system_u:object_r:svirt_image_t:s0</label>
</seclabel>
</source>
<target type="pci-serial" port="1">
<model name="pci-serial"/>
</target>
<alias name="serial0"/>
<address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/>
</serial>
[root@zhetang-rhel93 hotplug]# ll -Z /tmp | grep test
srwxrwxr-x. 1 qemu qemu system_u:object_r:svirt_image_t:s0 0 Jul 7 04:44 test1.sock
4.hotplug a device with dac label string, attached successfully
[root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml
<serial type='unix'>
<source mode='bind' path='/tmp/test1.sock'>
<seclabel model='dac' relabel='yes'>
<label>test:test</label>
</seclabel>
</source>
<target type='pci-serial' port='1'/>
</serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 dac_hotplug.xml
Device attached successfully
[root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial
<serial type="unix">
<source mode="bind" path="/tmp/test1.sock">
<seclabel model="dac" relabel="yes">
<label>test:test</label>
</seclabel>
</source>
<target type="pci-serial" port="1">
<model name="pci-serial"/>
</target>
<alias name="serial0"/>
<address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/>
</serial>
[root@zhetang-rhel93 hotplug]# ll /tmp | grep test
srwxrwxr-x. 1 test test 0 Jul 7 04:42 test1.sock
5. hotplug a device with relabel='no', attached successfully
[root@zhetang-rhel93 hotplug]# cat norelabel-hotplug.xml
<serial type='unix'>
<source mode='bind' path='/tmp/test1.sock'>
<seclabel model='selinux' relabel='no'>
</seclabel>
</source>
<target type='pci-serial' port='1'/>
</serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 norelabel-hotplug.xml
Device attached successfully
[root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial
<serial type="unix">
<source mode="bind" path="/tmp/test1.sock">
<seclabel model="selinux" relabel="no"/>
</source>
<target type="pci-serial" port="1">
<model name="pci-serial"/>
</target>
<alias name="serial0"/>
<address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/>
</serial>
verified on libvirt-9.5.0-5.el9.x86_64
1. hotplug a device with seclabel model 'selinux' and relabel='yes' without label string , failed with clear error message
[root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml
<serial type='unix'>
<source mode='bind' path='/tmp/test1.sock'>
<seclabel model='selinux' relabel='yes'>
</seclabel>
</source>
<target type='pci-serial' port='1'/>
</serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device blob-rhel9-3 seclabel.plug.xml
error: Failed to attach device from seclabel.plug.xml
error: XML error: Cannot specify relabel if label is missing. model=selinux
2. hotplug a device with seclabel model 'dac' and relabel='yes' without label string , failed with clear error message
[root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml
<serial type='unix'>
<source mode='bind' path='/tmp/test1.sock'>
<seclabel model='dac' relabel='yes'>
</seclabel>
</source>
<target type='pci-serial' port='1'/>
</serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device blob-rhel9-3 dac_hotplug.xml
error: Failed to attach device from dac_hotplug.xml
error: XML error: Cannot specify relabel if label is missing. model=dac
3. hotplug a device with selinux label string , attached successfully
[root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml
<serial type='unix'>
<source mode='bind' path='/tmp/test1.sock'>
<seclabel model='selinux' relabel='yes'>
<label>system_u:object_r:svirt_image_t:s0</label>
</seclabel>
</source>
<target type='pci-serial' port='1'/>
</serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 seclabel.plug.xml
Device attached successfully
[root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial
<serial type="unix">
<source mode="bind" path="/tmp/test1.sock">
<seclabel model="selinux" relabel="yes">
<label>system_u:object_r:svirt_image_t:s0</label>
</seclabel>
</source>
<target type="pci-serial" port="1">
<model name="pci-serial"/>
</target>
<alias name="serial0"/>
<address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/>
</serial>
4. hotplug a device with dac label string, attached successfully
[root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml
<serial type='unix'>
<source mode='bind' path='/tmp/test1.sock'>
<seclabel model='dac' relabel='yes'>
<label>test:test</label>
</seclabel>
</source>
<target type='pci-serial' port='1'/>
</serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 dac_hotplug.xml
Device attached successfully
[root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial
<serial type="unix">
<source mode="bind" path="/tmp/test1.sock">
<seclabel model="dac" relabel="yes">
<label>test:test</label>
</seclabel>
</source>
<target type="pci-serial" port="1">
<model name="pci-serial"/>
</target>
<alias name="serial0"/>
<address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/>
</serial>
5. hotplug a device with relabel='no', attached successfully
[root@zhetang-rhel93 hotplug]# cat norelabel-hotplug.xml
<serial type='unix'>
<source mode='bind' path='/tmp/test1.sock'>
<seclabel model='selinux' relabel='no'>
</seclabel>
</source>
<target type='pci-serial' port='1'/>
</serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 norelabel-hotplug.xml
Device attached successfully
[root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial
<serial type="unix">
<source mode="bind" path="/tmp/test1.sock">
<seclabel model="selinux" relabel="no"/>
</source>
<target type="pci-serial" port="1">
<model name="pci-serial"/>
</target>
<alias name="serial0"/>
<address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/>
</serial>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: libvirt security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:6409 |