RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2160356 - Libvirt should not allow to add device selinux label without label string when relabel="yes"
Summary: Libvirt should not allow to add device selinux label without label string whe...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libvirt
Version: 9.2
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Michal Privoznik
QA Contact: zhentang
URL:
Whiteboard:
Depends On:
Blocks: 2209225
TreeView+ depends on / blocked
 
Reported: 2023-01-12 07:06 UTC by Han Han
Modified: 2023-11-07 09:39 UTC (History)
9 users (show)

Fixed In Version: libvirt-9.5.0-0rc1.1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2209225 (view as bug list)
Environment:
Last Closed: 2023-11-07 08:30:47 UTC
Type: Bug
Target Upstream Version: 9.5.0
Embargoed:

Attachments (Terms of Use)
The XML of VM (9.52 KB, text/plain)
2023-01-12 07:06 UTC, Han Han 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-144904 0 None None None 2023-01-12 07:08:40 UTC
Red Hat Product Errata RHSA-2023:6409 0 None None None 2023-11-07 08:31:29 UTC

Description Han Han 2023-01-12 07:06:13 UTC 
Created attachment 1937534 [details]
The XML of VM

Description of problem:
As subject

Version-Release number of selected component (if applicable):
libvirt-8.10.0-2.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Start an VM
2. Attach the console 
<console type="file">
      <source path="/var/log/libvirt/test.log" append="on">
              <seclabel model="selinux" relabel="yes">
                </seclabel>
      </source>
       <alias name="ua-console"/>
      <target type="virtio" port="1"/>
    </console>

# virsh attach-device rhel-9.2 console-file.xml         
Device attached successfully 


3. Dump and validate the VM XML:
# virsh dumpxml rhel-9.2 > /tmp/vm.xml

# virt-xml-validate /tmp/vm.xml       
Relax-NG validity error : Extra element devices in interleave
/tmp/vm.xml:36: element devices: Relax-NG validity error : Element domain failed to validate content
/tmp/vm.xml fails to validate

4. Detach the console device and validate the VM XML:
# virsh dumpxml rhel-9.2 > /tmp/new.xml

# virt-xml-validate /tmp/new.xml
/tmp/new.xml validates

Actual results:
As above

Expected results:
As https://bugzilla.redhat.com/show_bug.cgi?id=1528628#c2 said, the <label> should be specificed. So libvirt should validate the device XML before attaching and pop up the error like "the label string should be specified for label='yes'"

Additional info:
See the domain XML of failed validating in the attachment
Comment 1 Michal Privoznik 2023-01-18 12:05:30 UTC 
There's a lot of historical baggage around parsing of <seclabel/>-s so we must be careful to not break existing applications.
Comment 4 Michal Privoznik 2023-05-29 12:48:11 UTC 
Patch proposed on the list:

https://listman.redhat.com/archives/libvir-list/2023-May/240090.html
Comment 5 Michal Privoznik 2023-06-01 11:58:02 UTC 
Merged upstream as:

commit a36318be9d6fec1be3bd2bafefff0849e6b9e13a
Author:     Michal Prívozník <mprivozn>
AuthorDate: Thu May 25 15:43:56 2023 +0200
Commit:     Michal Prívozník <mprivozn>
CommitDate: Thu Jun 1 13:53:09 2023 +0200

    conf: Reject invalid device's <seclabel relabel='yes'/> with no <label/>
    
    We allow (some) domain devices to have a different <seclabel/>
    than the top level domain one (this is mostly to allow access to
    a resource for multiple domains). Now, we do couple of sanity
    checks for such <seclabel/>, e.g. when the <label/> is specified,
    but '@relabel' is set to no. But what we are missing is the
    opposite: when '@relabel' is set, but no <label/> was provided.
    
    Our schema already denies such combination. Make our parser
    behave the same.
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2160356
    Signed-off-by: Michal Privoznik <mprivozn>
    Reviewed-by: Ján Tomko <jtomko>

v9.4.0-2-ga36318be9d
Comment 8 zhentang 2023-07-07 08:54:02 UTC 
Tested on libvirt-9.5.0-0rc1.1.el9.x86_64

1. hotplug a device with seclabel model 'selinux' and relabel='yes' without label string , failed with clear error message
[root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml 
<serial type='unix'>
      <source mode='bind' path='/tmp/test1.sock'>
        <seclabel model='selinux' relabel='yes'>
        </seclabel>
      </source>
      <target type='pci-serial' port='1'/>
    </serial>

[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 seclabel.plug.xml 
error: Failed to attach device from seclabel.plug.xml
error: XML error: Cannot specify relabel if label is missing. model=selinux


2. hotplug a device with seclabel model 'dac' and relabel='yes' without label string , failed with clear error message
[root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml 
<serial type='unix'>
      <source mode='bind' path='/tmp/test1.sock'>
        <seclabel model='dac' relabel='yes'>
        </seclabel>
      </source>
      <target type='pci-serial' port='1'/>
    </serial>

[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 dac_hotplug.xml 
error: Failed to attach device from dac_hotplug.xml
error: XML error: Cannot specify relabel if label is missing. model=dac

3.hotplug a device with selinux label string , attached successfully
[root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml 
<serial type='unix'>
      <source mode='bind' path='/tmp/test1.sock'>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0</label>
        </seclabel>
      </source>
      <target type='pci-serial' port='1'/>
    </serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 seclabel.plug.xml 
Device attached successfully

[root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial
<serial type="unix">
  <source mode="bind" path="/tmp/test1.sock">
    <seclabel model="selinux" relabel="yes">
      <label>system_u:object_r:svirt_image_t:s0</label>
    </seclabel>
  </source>
  <target type="pci-serial" port="1">
    <model name="pci-serial"/>
  </target>
  <alias name="serial0"/>
  <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/>
</serial>

[root@zhetang-rhel93 hotplug]# ll -Z /tmp | grep test
srwxrwxr-x. 1 qemu qemu system_u:object_r:svirt_image_t:s0          0 Jul  7 04:44 test1.sock



4.hotplug a device with dac label string,  attached successfully

[root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml 
<serial type='unix'>
      <source mode='bind' path='/tmp/test1.sock'>
        <seclabel model='dac' relabel='yes'>
		<label>test:test</label>
        </seclabel>
      </source>
      <target type='pci-serial' port='1'/>
    </serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 dac_hotplug.xml 
Device attached successfully
[root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial
<serial type="unix">
  <source mode="bind" path="/tmp/test1.sock">
    <seclabel model="dac" relabel="yes">
      <label>test:test</label>
    </seclabel>
  </source>
  <target type="pci-serial" port="1">
    <model name="pci-serial"/>
  </target>
  <alias name="serial0"/>
  <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/>
</serial>

[root@zhetang-rhel93 hotplug]# ll /tmp | grep test
srwxrwxr-x. 1 test test         0 Jul  7 04:42 test1.sock


5. hotplug a device with relabel='no',  attached successfully

[root@zhetang-rhel93 hotplug]# cat norelabel-hotplug.xml 
<serial type='unix'>
      <source mode='bind' path='/tmp/test1.sock'>
        <seclabel model='selinux' relabel='no'>
        </seclabel>
      </source>
      <target type='pci-serial' port='1'/>
    </serial>

[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 norelabel-hotplug.xml 
Device attached successfully

[root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial
<serial type="unix">
  <source mode="bind" path="/tmp/test1.sock">
    <seclabel model="selinux" relabel="no"/>
  </source>
  <target type="pci-serial" port="1">
    <model name="pci-serial"/>
  </target>
  <alias name="serial0"/>
  <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/>
</serial>
Comment 11 zhentang 2023-08-11 04:16:47 UTC 
verified on libvirt-9.5.0-5.el9.x86_64

1. hotplug a device with seclabel model 'selinux' and relabel='yes' without label string , failed with clear error message
[root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml 
<serial type='unix'>
      <source mode='bind' path='/tmp/test1.sock'>
        <seclabel model='selinux' relabel='yes'>
        </seclabel>
      </source>
      <target type='pci-serial' port='1'/>
    </serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device blob-rhel9-3 seclabel.plug.xml 
error: Failed to attach device from seclabel.plug.xml
error: XML error: Cannot specify relabel if label is missing. model=selinux

2. hotplug a device with seclabel model 'dac' and relabel='yes' without label string , failed with clear error message
[root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml 
<serial type='unix'>
      <source mode='bind' path='/tmp/test1.sock'>
        <seclabel model='dac' relabel='yes'>
        </seclabel>
      </source>
      <target type='pci-serial' port='1'/>
    </serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device blob-rhel9-3 dac_hotplug.xml 
error: Failed to attach device from dac_hotplug.xml
error: XML error: Cannot specify relabel if label is missing. model=dac

3. hotplug a device with selinux label string , attached successfully
[root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml 
<serial type='unix'>
      <source mode='bind' path='/tmp/test1.sock'>
        <seclabel model='selinux' relabel='yes'>
		<label>system_u:object_r:svirt_image_t:s0</label>
        </seclabel>
      </source>
      <target type='pci-serial' port='1'/>
    </serial>

[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 seclabel.plug.xml 
Device attached successfully

[root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial
<serial type="unix">
  <source mode="bind" path="/tmp/test1.sock">
    <seclabel model="selinux" relabel="yes">
      <label>system_u:object_r:svirt_image_t:s0</label>
    </seclabel>
  </source>
  <target type="pci-serial" port="1">
    <model name="pci-serial"/>
  </target>
  <alias name="serial0"/>
  <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/>
</serial>

4. hotplug a device with dac label string,  attached successfully
[root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml 
<serial type='unix'>
      <source mode='bind' path='/tmp/test1.sock'>
        <seclabel model='dac' relabel='yes'>
		<label>test:test</label>
        </seclabel>
      </source>
      <target type='pci-serial' port='1'/>
    </serial>

[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 dac_hotplug.xml 
Device attached successfully

[root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial
<serial type="unix">
  <source mode="bind" path="/tmp/test1.sock">
    <seclabel model="dac" relabel="yes">
      <label>test:test</label>
    </seclabel>
  </source>
  <target type="pci-serial" port="1">
    <model name="pci-serial"/>
  </target>
  <alias name="serial0"/>
  <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/>
</serial>


5. hotplug a device with relabel='no',  attached successfully
[root@zhetang-rhel93 hotplug]# cat norelabel-hotplug.xml 
<serial type='unix'>
      <source mode='bind' path='/tmp/test1.sock'>
        <seclabel model='selinux' relabel='no'>
        </seclabel>
      </source>
      <target type='pci-serial' port='1'/>
    </serial>
[root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 norelabel-hotplug.xml 
Device attached successfully
[root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial
<serial type="unix">
  <source mode="bind" path="/tmp/test1.sock">
    <seclabel model="selinux" relabel="no"/>
  </source>
  <target type="pci-serial" port="1">
    <model name="pci-serial"/>
  </target>
  <alias name="serial0"/>
  <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/>
</serial>
Comment 13 errata-xmlrpc 2023-11-07 08:30:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: libvirt security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6409
Note You need to log in before you can comment on or make changes to this bug.