Red Hat Bugzilla – Bug 853925
[configuration][doc] set security_driver in qemu.conf
Last modified: 2013-02-21 02:22:59 EST
Description of problem: With latest patch: From: "Daniel P. Berrange"<berrange@redhat.com> If no 'security_driver' config option was set, then the code just loaded the 'dac' security driver. This is a regression on previous behaviour, where we would probe for a possible security driver. ie default to SELinux if available. This changes things so that it 'security_driver' is not set, we once again do probing. For simplicity we also always create the stack driver, even if there is only one driver active. The desired semantics are: - security_driver not set -> probe for selinux/apparmour/nop -> auto-add DAC driver - security_driver set to a string -> add that one driver -> auto-add DAC driver - security_driver set to a list -> add all drivers in list -> auto-add DAC driver It is not allowed, or possible to specify 'dac' in the security_driver config param, since that is always enabled. Following config will have problem and should not be allowed: security_driver as: "dac" [ "none" ] [ "none", "dac" ] [ "none", "selinux"] [ "none", "selinux", "dac"] It should be mentioned in doc and recorded in qemu.conf. Following is what acceptable: "none" this will auto-add DAC driver "selinux" this will auto-add DAC driver ["selinux"] this will auto-add DAC driver security_driver = [ "selinux", "apparmor" ] support use in this way, but we do not have apparmor. Version-Release number of selected component (if applicable): libvirt-0.10.1-1.el6.x86_64 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: doc and qemu.conf not covered this Expected results: cover the detail Additional info:
Moving to POST: commit 95fbc833874f93d099ed3e017f61699b905cd70c Author: Martin Kletzander <mkletzan@redhat.com> Date: Tue Sep 4 16:09:43 2012 +0200 conf: describe security_driver behavior
pkg: libvirt-0.10.2-0rc1.el6.x86_64 The description updated in qemu.conf, so this is fixed. # The default security driver is SELinux. If SELinux is disabled # on the host, then the security driver will automatically disable # itself. If you wish to disable QEMU SELinux security driver while # leaving SELinux enabled for the host in general, then set this # to 'none' instead. It's also possible to use more than one security # driver at the same time, for this use a list of names separated by # comma and delimited by square brackets. For example: # # security_driver = [ "selinux", "apparmor" ] # # Notes: The DAC security driver is always enabled; as a result, the # value of security_driver cannot contain "dac". The value "none" is # a special value; security_driver can be set to that value in # isolation, but it cannot appear in a list of drivers.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0276.html