Bug 853925
| Summary: | [configuration][doc] set security_driver in qemu.conf | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Wayne Sun <gsun> |
| Component: | libvirt | Assignee: | Martin Kletzander <mkletzan> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.4 | CC: | acathrow, dyasny, dyuan, mzhan, rwu, zhpeng |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-0.10.2-0rc1.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 07:22:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Moving to POST:
commit 95fbc833874f93d099ed3e017f61699b905cd70c
Author: Martin Kletzander <mkletzan>
Date: Tue Sep 4 16:09:43 2012 +0200
conf: describe security_driver behavior
pkg: libvirt-0.10.2-0rc1.el6.x86_64 The description updated in qemu.conf, so this is fixed. # The default security driver is SELinux. If SELinux is disabled # on the host, then the security driver will automatically disable # itself. If you wish to disable QEMU SELinux security driver while # leaving SELinux enabled for the host in general, then set this # to 'none' instead. It's also possible to use more than one security # driver at the same time, for this use a list of names separated by # comma and delimited by square brackets. For example: # # security_driver = [ "selinux", "apparmor" ] # # Notes: The DAC security driver is always enabled; as a result, the # value of security_driver cannot contain "dac". The value "none" is # a special value; security_driver can be set to that value in # isolation, but it cannot appear in a list of drivers. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0276.html |
Description of problem: With latest patch: From: "Daniel P. Berrange"<berrange> If no 'security_driver' config option was set, then the code just loaded the 'dac' security driver. This is a regression on previous behaviour, where we would probe for a possible security driver. ie default to SELinux if available. This changes things so that it 'security_driver' is not set, we once again do probing. For simplicity we also always create the stack driver, even if there is only one driver active. The desired semantics are: - security_driver not set -> probe for selinux/apparmour/nop -> auto-add DAC driver - security_driver set to a string -> add that one driver -> auto-add DAC driver - security_driver set to a list -> add all drivers in list -> auto-add DAC driver It is not allowed, or possible to specify 'dac' in the security_driver config param, since that is always enabled. Following config will have problem and should not be allowed: security_driver as: "dac" [ "none" ] [ "none", "dac" ] [ "none", "selinux"] [ "none", "selinux", "dac"] It should be mentioned in doc and recorded in qemu.conf. Following is what acceptable: "none" this will auto-add DAC driver "selinux" this will auto-add DAC driver ["selinux"] this will auto-add DAC driver security_driver = [ "selinux", "apparmor" ] support use in this way, but we do not have apparmor. Version-Release number of selected component (if applicable): libvirt-0.10.1-1.el6.x86_64 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: doc and qemu.conf not covered this Expected results: cover the detail Additional info: