Bug 853925 - [configuration][doc] set security_driver in qemu.conf
[configuration][doc] set security_driver in qemu.conf
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt (Show other bugs)
6.4
x86_64 Linux
medium Severity low
: rc
: ---
Assigned To: Martin Kletzander
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-03 06:39 EDT by Wayne Sun
Modified: 2013-02-21 02:22 EST (History)
6 users (show)

See Also:
Fixed In Version: libvirt-0.10.2-0rc1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 02:22:59 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wayne Sun 2012-09-03 06:39:07 EDT
Description of problem:
With latest patch:

From: "Daniel P. Berrange"<berrange@redhat.com>

If no 'security_driver' config option was set, then the code
just loaded the 'dac' security driver. This is a regression
on previous behaviour, where we would probe for a possible
security driver. ie default to SELinux if available.

This changes things so that it 'security_driver' is not set,
we once again do probing. For simplicity we also always
create the stack driver, even if there is only one driver
active.

The desired semantics are:

 - security_driver not set
     -> probe for selinux/apparmour/nop
     -> auto-add DAC driver
 - security_driver set to a string
     -> add that one driver
     -> auto-add DAC driver
 - security_driver set to a list
     -> add all drivers in list
     -> auto-add DAC driver

It is not allowed, or possible to specify 'dac' in the
security_driver config param, since that is always
enabled.

Following config will have problem and should not be allowed:
security_driver as:
"dac"
[ "none" ]
[ "none", "dac" ]
[ "none", "selinux"]
[ "none", "selinux", "dac"]

It should be mentioned in doc and recorded in qemu.conf.

Following is what acceptable:
"none"  this will auto-add DAC driver
"selinux" this will auto-add DAC driver
["selinux"] this will auto-add DAC driver

security_driver = [ "selinux", "apparmor" ] support use in this way, but we do not have apparmor.

Version-Release number of selected component (if applicable):
libvirt-0.10.1-1.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:
doc and qemu.conf not covered this 

Expected results:
cover the detail

Additional info:
Comment 2 Martin Kletzander 2012-09-05 00:49:40 EDT
Moving to POST:

commit 95fbc833874f93d099ed3e017f61699b905cd70c
Author: Martin Kletzander <mkletzan@redhat.com>
Date:   Tue Sep 4 16:09:43 2012 +0200

    conf: describe security_driver behavior
Comment 4 Wayne Sun 2012-09-19 02:56:37 EDT
pkg:
libvirt-0.10.2-0rc1.el6.x86_64

The description updated in qemu.conf, so this is fixed.

# The default security driver is SELinux. If SELinux is disabled
# on the host, then the security driver will automatically disable
# itself. If you wish to disable QEMU SELinux security driver while
# leaving SELinux enabled for the host in general, then set this
# to 'none' instead. It's also possible to use more than one security
# driver at the same time, for this use a list of names separated by
# comma and delimited by square brackets. For example:
#
#       security_driver = [ "selinux", "apparmor" ]
#
# Notes: The DAC security driver is always enabled; as a result, the
# value of security_driver cannot contain "dac".  The value "none" is
# a special value; security_driver can be set to that value in
# isolation, but it cannot appear in a list of drivers.
Comment 5 errata-xmlrpc 2013-02-21 02:22:59 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0276.html

Note You need to log in before you can comment on or make changes to this bug.