Created attachment 1937534 [details] The XML of VM Description of problem: As subject Version-Release number of selected component (if applicable): libvirt-8.10.0-2.el9.x86_64 How reproducible: 100% Steps to Reproduce: 1. Start an VM 2. Attach the console <console type="file"> <source path="/var/log/libvirt/test.log" append="on"> <seclabel model="selinux" relabel="yes"> </seclabel> </source> <alias name="ua-console"/> <target type="virtio" port="1"/> </console> # virsh attach-device rhel-9.2 console-file.xml Device attached successfully 3. Dump and validate the VM XML: # virsh dumpxml rhel-9.2 > /tmp/vm.xml # virt-xml-validate /tmp/vm.xml Relax-NG validity error : Extra element devices in interleave /tmp/vm.xml:36: element devices: Relax-NG validity error : Element domain failed to validate content /tmp/vm.xml fails to validate 4. Detach the console device and validate the VM XML: # virsh dumpxml rhel-9.2 > /tmp/new.xml # virt-xml-validate /tmp/new.xml /tmp/new.xml validates Actual results: As above Expected results: As https://bugzilla.redhat.com/show_bug.cgi?id=1528628#c2 said, the <label> should be specificed. So libvirt should validate the device XML before attaching and pop up the error like "the label string should be specified for label='yes'" Additional info: See the domain XML of failed validating in the attachment
There's a lot of historical baggage around parsing of <seclabel/>-s so we must be careful to not break existing applications.
Patch proposed on the list: https://listman.redhat.com/archives/libvir-list/2023-May/240090.html
Merged upstream as: commit a36318be9d6fec1be3bd2bafefff0849e6b9e13a Author: Michal Prívozník <mprivozn> AuthorDate: Thu May 25 15:43:56 2023 +0200 Commit: Michal Prívozník <mprivozn> CommitDate: Thu Jun 1 13:53:09 2023 +0200 conf: Reject invalid device's <seclabel relabel='yes'/> with no <label/> We allow (some) domain devices to have a different <seclabel/> than the top level domain one (this is mostly to allow access to a resource for multiple domains). Now, we do couple of sanity checks for such <seclabel/>, e.g. when the <label/> is specified, but '@relabel' is set to no. But what we are missing is the opposite: when '@relabel' is set, but no <label/> was provided. Our schema already denies such combination. Make our parser behave the same. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2160356 Signed-off-by: Michal Privoznik <mprivozn> Reviewed-by: Ján Tomko <jtomko> v9.4.0-2-ga36318be9d
Tested on libvirt-9.5.0-0rc1.1.el9.x86_64 1. hotplug a device with seclabel model 'selinux' and relabel='yes' without label string , failed with clear error message [root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='selinux' relabel='yes'> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 seclabel.plug.xml error: Failed to attach device from seclabel.plug.xml error: XML error: Cannot specify relabel if label is missing. model=selinux 2. hotplug a device with seclabel model 'dac' and relabel='yes' without label string , failed with clear error message [root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='dac' relabel='yes'> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 dac_hotplug.xml error: Failed to attach device from dac_hotplug.xml error: XML error: Cannot specify relabel if label is missing. model=dac 3.hotplug a device with selinux label string , attached successfully [root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='selinux' relabel='yes'> <label>system_u:object_r:svirt_image_t:s0</label> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 seclabel.plug.xml Device attached successfully [root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial <serial type="unix"> <source mode="bind" path="/tmp/test1.sock"> <seclabel model="selinux" relabel="yes"> <label>system_u:object_r:svirt_image_t:s0</label> </seclabel> </source> <target type="pci-serial" port="1"> <model name="pci-serial"/> </target> <alias name="serial0"/> <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/> </serial> [root@zhetang-rhel93 hotplug]# ll -Z /tmp | grep test srwxrwxr-x. 1 qemu qemu system_u:object_r:svirt_image_t:s0 0 Jul 7 04:44 test1.sock 4.hotplug a device with dac label string, attached successfully [root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='dac' relabel='yes'> <label>test:test</label> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 dac_hotplug.xml Device attached successfully [root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial <serial type="unix"> <source mode="bind" path="/tmp/test1.sock"> <seclabel model="dac" relabel="yes"> <label>test:test</label> </seclabel> </source> <target type="pci-serial" port="1"> <model name="pci-serial"/> </target> <alias name="serial0"/> <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/> </serial> [root@zhetang-rhel93 hotplug]# ll /tmp | grep test srwxrwxr-x. 1 test test 0 Jul 7 04:42 test1.sock 5. hotplug a device with relabel='no', attached successfully [root@zhetang-rhel93 hotplug]# cat norelabel-hotplug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='selinux' relabel='no'> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 norelabel-hotplug.xml Device attached successfully [root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial <serial type="unix"> <source mode="bind" path="/tmp/test1.sock"> <seclabel model="selinux" relabel="no"/> </source> <target type="pci-serial" port="1"> <model name="pci-serial"/> </target> <alias name="serial0"/> <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/> </serial>
verified on libvirt-9.5.0-5.el9.x86_64 1. hotplug a device with seclabel model 'selinux' and relabel='yes' without label string , failed with clear error message [root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='selinux' relabel='yes'> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device blob-rhel9-3 seclabel.plug.xml error: Failed to attach device from seclabel.plug.xml error: XML error: Cannot specify relabel if label is missing. model=selinux 2. hotplug a device with seclabel model 'dac' and relabel='yes' without label string , failed with clear error message [root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='dac' relabel='yes'> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device blob-rhel9-3 dac_hotplug.xml error: Failed to attach device from dac_hotplug.xml error: XML error: Cannot specify relabel if label is missing. model=dac 3. hotplug a device with selinux label string , attached successfully [root@zhetang-rhel93 hotplug]# cat seclabel.plug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='selinux' relabel='yes'> <label>system_u:object_r:svirt_image_t:s0</label> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 seclabel.plug.xml Device attached successfully [root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial <serial type="unix"> <source mode="bind" path="/tmp/test1.sock"> <seclabel model="selinux" relabel="yes"> <label>system_u:object_r:svirt_image_t:s0</label> </seclabel> </source> <target type="pci-serial" port="1"> <model name="pci-serial"/> </target> <alias name="serial0"/> <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/> </serial> 4. hotplug a device with dac label string, attached successfully [root@zhetang-rhel93 hotplug]# cat dac_hotplug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='dac' relabel='yes'> <label>test:test</label> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 dac_hotplug.xml Device attached successfully [root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial <serial type="unix"> <source mode="bind" path="/tmp/test1.sock"> <seclabel model="dac" relabel="yes"> <label>test:test</label> </seclabel> </source> <target type="pci-serial" port="1"> <model name="pci-serial"/> </target> <alias name="serial0"/> <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/> </serial> 5. hotplug a device with relabel='no', attached successfully [root@zhetang-rhel93 hotplug]# cat norelabel-hotplug.xml <serial type='unix'> <source mode='bind' path='/tmp/test1.sock'> <seclabel model='selinux' relabel='no'> </seclabel> </source> <target type='pci-serial' port='1'/> </serial> [root@zhetang-rhel93 hotplug]# virsh attach-device rhel9 norelabel-hotplug.xml Device attached successfully [root@zhetang-rhel93 hotplug]# virsh dumpxml rhel9 --xpath //serial <serial type="unix"> <source mode="bind" path="/tmp/test1.sock"> <seclabel model="selinux" relabel="no"/> </source> <target type="pci-serial" port="1"> <model name="pci-serial"/> </target> <alias name="serial0"/> <address type="pci" domain="0x0000" bus="0x09" slot="0x01" function="0x0"/> </serial>