999301 – DAC security model does not support relabel attribute

Bug 999301 - DAC security model does not support relabel attribute

Summary: DAC security model does not support relabel attribute

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Virtualization Tools
Classification:	Community
Component:	libvirt
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Martin Kletzander
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-21 06:19 UTC by Cristian Ciupitu
Modified:	2014-08-25 17:53 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-05-21 09:35:30 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Cristian Ciupitu 2013-08-21 06:19:21 UTC

Description of problem:
<seclabel model='dac' relabel='no'/> does not work, the owner and the group of
the file are still changed to qemu:qemu.

Version-Release number of selected component (if applicable):
libvirt-daemon-1.1.1-2.fc19.x86_64.rpm

How reproducible:
Every time

Steps to Reproduce:
1. Create a virtual machine
2. Attach a CD image to it:
    # virsh dumpxml test
        ...
        <disk type='file' device='cdrom'>
          <driver name='qemu' type='raw'/>
          <source file='/mnt/extra/Software/Linux/Fedora/Fedora-Live-Desktop-x86_64-19/Fedora-Live-Desktop-x86_64-19-1.iso'>
            <seclabel model='selinux' relabel='no'/>
            <seclabel model='dac' relabel='no'/>
          </source>
          <target dev='hdc' bus='ide'/>
          <readonly/>
          <shareable/>
          <address type='drive' controller='0' bus='1' target='0' unit='0'/>
        </disk>

3. Start the machine:
    # ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso 
    -r--r--r--. root root system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso

    # virsh start test
    Domain test started

Actual results:
# ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso 
-r--r--r--. qemu qemu system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso

Expected results:
The owner & group shouldn't be changed.

Additional info:
https://www.redhat.com/archives/libvirt-users/2013-August/msg00100.html

Comment 1 Cristian Ciupitu 2013-08-21 06:24:15 UTC

Just to avoid any confusion, the RPM was installed from the fedora-virt-preview
repository.

Comment 2 Ján Tomko 2014-04-17 10:56:57 UTC

Patches for this have been proposed upstream:
https://www.redhat.com/archives/libvir-list/2014-March/msg01450.html
https://www.redhat.com/archives/libvir-list/2014-April/msg00196.html

Comment 3 Ján Tomko 2014-05-21 09:35:30 UTC

Merged upstream as of:
commit 9369a562446b7bb5314e6e1f6e65379bc1da6721
Author:     Jim Fehlig <jfehlig>
AuthorDate: 2014-05-15 16:38:01 -0600
Commit:     Jim Fehlig <jfehlig>
CommitDate: 2014-05-16 15:32:14 -0600

    security_dac: avoid relabeling when relabel='no'
    
    If relabel='no' at the domain level, no need to attempt relabeling
    in virSecurityDAC{Set,Restore}SecurityAllLabel().
    
    Signed-off-by: Michal Privoznik <mprivozn>
    Signed-off-by: Jim Fehlig <jfehlig>

git describe: v1.2.4-84-g9369a56

Comment 4 Cristian Ciupitu 2014-08-25 17:53:29 UTC

Confirmed that it works fine with libvirt-daemon-kvm-1.2.7-2.fc20.x86_64.

Note You need to log in before you can comment on or make changes to this bug.