<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 2020/11/20 15:49, Michal Privoznik
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:721f1987-8dad-16d0-53ff-137aa627f8ce@redhat.com">
<pre class="moz-quote-pre" wrap="">On 11/19/20 3:54 PM, Jin Yan wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
On 2020/11/13 22:33, Michal Privoznik wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On 11/13/20 10:47 AM, Jin Yan wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi Michal,
I found this problem while performing migration, based on
libvirt version: 6.2.0
SELinux mode: permissive
Steps:
1. start a vm configured with pipe-type serial port.
<serial type='pipe'>
<source path='/tmp/test_pipe'/>
<target type='system-serial' port='1'>
<model name='pl011'/>
</target>
</serial>
2. migrate vm to Dst-side where no '/tmp/test_pipe' exits.
3. migration failed in Dst-side qemuProcessLaunch, and the path's label
that
has been set is not restored ('/var/lib/libvirt/qemu/nvram/XXX.fd').
I have no idea why 2)rollback you mentioned didn't work.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">I'm not sure. I could not reproduce with the current master. Is it
possible for you to try the master?
Michal
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
I think we can reproduce it in a more easier way, that is, starting a VM
whose XML is configured with a pipe file that does not exist on local host:
<serial type='pipe'>
<source path='/tmp/serial.pipe'/>
<target port='0'/>
</serial>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
This is what I have in XML:
<serial type='pipe'>
<source path='/tmp/test_pipe'/>
<target type='isa-serial' port='0'>
<model name='isa-serial'/>
</target>
</serial>
and the file doesn't exist.
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
1. Though '/tmp/serial.pipe' does not exist, this secdriver (if I'm not
mistaken about this concept) set SELinux-label return success, and the
marked items (eg. XXX.fd, XXX.iso) will not be rollback.
[call trace]:
virSecuritySELinuxTransactionRun -- return 0
virSecuritySELinuxSetFilecon -- return 0
virSecuritySELinuxSetFileconImpl -- return 1, warned unable
to ...
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
I don't get a warning. I get a regular error:
error: unable to set security context
'unconfined_u:object_r:svirt_image_t:s0:c339,c673' on '/tmp/test_pipe':
No such file or directory
</pre>
</blockquote>
<pre>
I guess the reason you got the error is that your SELinux mode is enforcing
but mine is permissive. The two modes are processed differently in
virSecuritySELinuxSetFileconImpl().
</pre>
<blockquote type="cite"
cite="mid:721f1987-8dad-16d0-53ff-137aa627f8ce@redhat.com">
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">2. The next secdriver about setting DAC-label run in
virSecurityDACTransactionRun() return false because above file does not
exist.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Oh I think get it now. So if one secdriver would fail but not the other
then because of transactions the rollback would be ineffective?
</pre>
</blockquote>
<pre>
If one secdriver success (maybe should fail?) and the next fail, which
function cotrols rollback? virSecurityManagerTransactionCommit() is
executed after virSecurityStackSetAllLabel(), but the rollback
(virSecurityManagerTransactionAbort) can't restore label.
</pre>
<blockquote type="cite"
cite="mid:721f1987-8dad-16d0-53ff-137aa627f8ce@redhat.com">
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">virSecurityManagerTransactionCommit() return false, but where is the
rollback performed for other secdrivers (here means setting
SELinux-label in 1) ? I don't quite understand the second point you
mentioned in your last reply:
---
2) rollback for other secdrivers after one failed is handled in
virSecurityStackSetAllLabel().
---
In addition, is there any wrong in virSecuritySELinuxTransactionRun
return success while '/tmp/serial.pipe' does not exist?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
I guess that is the source of problem. Have you tried the latest release
(or master)?
</pre>
</blockquote>
<pre>
I can't use the latest release for the time being, but I compared the code
and think the problem may still exist.
Yan
</pre>
</body>
</html>