Bug 2160356
Summary: | Libvirt should not allow to add device selinux label without label string when relabel="yes" | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Han Han <hhan> | ||||
Component: | libvirt | Assignee: | Michal Privoznik <mprivozn> | ||||
libvirt sub component: | General | QA Contact: | zhentang <zhetang> | ||||
Status: | CLOSED ERRATA | Docs Contact: | |||||
Severity: | low | ||||||
Priority: | low | CC: | dzheng, fqi, hshuai, jdenemar, lmen, mprivozn, virt-maint, yafu, yalzhang | ||||
Version: | 9.2 | Keywords: | AutomationTriaged, Triaged, Upstream | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | libvirt-9.5.0-0rc1.1.el9 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 2209225 (view as bug list) | Environment: | |||||
Last Closed: | 2023-11-07 08:30:47 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | 9.5.0 | ||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 2209225 | ||||||
Attachments: |
|
Description
Han Han
2023-01-12 07:06:13 UTC
There's a lot of historical baggage around parsing of <seclabel/>-s so we must be careful to not break existing applications. Patch proposed on the list: https://listman.redhat.com/archives/libvir-list/2023-May/240090.html Merged upstream as: commit a36318be9d6fec1be3bd2bafefff0849e6b9e13a Author: Michal Prívozník <mprivozn> AuthorDate: Thu May 25 15:43:56 2023 +0200 Commit: Michal Prívozník <mprivozn> CommitDate: Thu Jun 1 13:53:09 2023 +0200 conf: Reject invalid device's <seclabel relabel='yes'/> with no <label/> We allow (some) domain devices to have a different <seclabel/> than the top level domain one (this is mostly to allow access to a resource for multiple domains). Now, we do couple of sanity checks for such <seclabel/>, e.g. when the <label/> is specified, but '@relabel' is set to no. But what we are missing is the opposite: when '@relabel' is set, but no <label/> was provided. Our schema already denies such combination. Make our parser behave the same. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2160356 Signed-off-by: Michal Privoznik <mprivozn> Reviewed-by: Ján Tomko <jtomko> v9.4.0-2-ga36318be9d Tested on libvirt-9.5.0-0rc1.1.el9.x86_64 1. hotplug a device with seclabel model 'selinux' and relabel='yes' without label string , failed with clear error message [root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='selinux' relabel='yes'> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 seclabel.plug.xml error: Failed to attach device from seclabel.plug.xml error: XML error: Cannot specify relabel if label is missing. model=selinux 2. hotplug a device with seclabel model 'dac' and relabel='yes' without label string , failed with clear error message [root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='dac' relabel='yes'> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 dac_hotplug.xml error: Failed to attach device from dac_hotplug.xml error: XML error: Cannot specify relabel if label is missing. model=dac 3.hotplug a device with selinux label string , attached successfully [root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='selinux' relabel='yes'> <label>system_u:object_r:svirt_image_t:s0</label> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 seclabel.plug.xml Device attached successfully [root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial <serial type="unix"> <source mode="bind" path="/tmp/test1.sock"> <seclabel model="selinux" relabel="yes"> <label>system_u:object_r:svirt_image_t:s0</label> </seclabel> </source> <target type="pci-serial" port="1"> <model name="pci-serial"/> </target> <alias name="serial0"/> <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/> </serial> [root@zhetang-rhel93 hotplug]# ll -Z /tmp | grep test srwxrwxr-x. 1 qemu qemu system_u:object_r:svirt_image_t:s0 0 Jul 7 04:44 test1.sock 4.hotplug a device with dac label string, attached successfully [root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='dac' relabel='yes'> <label>test:test</label> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 dac_hotplug.xml Device attached successfully [root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial <serial type="unix"> <source mode="bind" path="/tmp/test1.sock"> <seclabel model="dac" relabel="yes"> <label>test:test</label> </seclabel> </source> <target type="pci-serial" port="1"> <model name="pci-serial"/> </target> <alias name="serial0"/> <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/> </serial> [root@zhetang-rhel93 hotplug]# ll /tmp | grep test srwxrwxr-x. 1 test test 0 Jul 7 04:42 test1.sock 5. hotplug a device with relabel='no', attached successfully [root@zhetang-rhel93 hotplug]# cat norelabel-hotplug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='selinux' relabel='no'> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 norelabel-hotplug.xml Device attached successfully [root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial <serial type="unix"> <source mode="bind" path="/tmp/test1.sock"> <seclabel model="selinux" relabel="no"/> </source> <target type="pci-serial" port="1"> <model name="pci-serial"/> </target> <alias name="serial0"/> <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/> </serial> verified on libvirt-9.5.0-5.el9.x86_64 1. hotplug a device with seclabel model 'selinux' and relabel='yes' without label string , failed with clear error message [root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='selinux' relabel='yes'> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device blob-rhel9-3 seclabel.plug.xml error: Failed to attach device from seclabel.plug.xml error: XML error: Cannot specify relabel if label is missing. model=selinux 2. hotplug a device with seclabel model 'dac' and relabel='yes' without label string , failed with clear error message [root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='dac' relabel='yes'> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device blob-rhel9-3 dac_hotplug.xml error: Failed to attach device from dac_hotplug.xml error: XML error: Cannot specify relabel if label is missing. model=dac 3. hotplug a device with selinux label string , attached successfully [root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='selinux' relabel='yes'> <label>system_u:object_r:svirt_image_t:s0</label> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 seclabel.plug.xml Device attached successfully [root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial <serial type="unix"> <source mode="bind" path="/tmp/test1.sock"> <seclabel model="selinux" relabel="yes"> <label>system_u:object_r:svirt_image_t:s0</label> </seclabel> </source> <target type="pci-serial" port="1"> <model name="pci-serial"/> </target> <alias name="serial0"/> <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/> </serial> 4. hotplug a device with dac label string, attached successfully [root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='dac' relabel='yes'> <label>test:test</label> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 dac_hotplug.xml Device attached successfully [root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial <serial type="unix"> <source mode="bind" path="/tmp/test1.sock"> <seclabel model="dac" relabel="yes"> <label>test:test</label> </seclabel> </source> <target type="pci-serial" port="1"> <model name="pci-serial"/> </target> <alias name="serial0"/> <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/> </serial> 5. hotplug a device with relabel='no', attached successfully [root@zhetang-rhel93 hotplug]# cat norelabel-hotplug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='selinux' relabel='no'> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 norelabel-hotplug.xml Device attached successfully [root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial <serial type="unix"> <source mode="bind" path="/tmp/test1.sock"> <seclabel model="selinux" relabel="no"/> </source> <target type="pci-serial" port="1"> <model name="pci-serial"/> </target> <alias name="serial0"/> <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/> </serial> Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: libvirt security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:6409 |