[Libguestfs] [PATCH] Use proper label for nbdkit sockets

Richard W.M. Jones rjones at redhat.com
Tue May 28 09:14:01 UTC 2019 

On Mon, May 27, 2019 at 01:30:05PM +0200, Martin Kletzander wrote:
> While svirt_t can be used for sockets it does not always guarantee that it will
> be accessible from a virtual machine.  The VM might be running under svirt_tcg_t
> context which will need a svirt_tcg_t label on the socket in order to access it.

I don't really know enough about SELinux or the sVirt policy to
comment on this, but it's plausible so I'll push it soon, thanks.

Rich.

> There is, however, another label, svirt_socket_t, which is accessible from
> virt_domain:
> 
>   # sesearch -A -s svirt_t -c unix_stream_socket -p connectto
>   ...
>   allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... };
>   ...
> 
> And virt_domain is a type attribute of both svirt_t and svirt_tcg_t:
> 
>   # seinfo -x -a virt_domain
>   Type Attributes: 1
>      attribute virt_domain;
>           svirt_t
>           svirt_tcg_t
> 
> Resolves: https://bugzilla.redhat.com/1698437
> 
> Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
> ---
>  v2v/input_libvirt_vddk.ml | 2 +-
>  v2v/output_rhv_upload.ml  | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/v2v/input_libvirt_vddk.ml b/v2v/input_libvirt_vddk.ml
> index e2efef842e8e..4e36ff71f783 100644
> --- a/v2v/input_libvirt_vddk.ml
> +++ b/v2v/input_libvirt_vddk.ml
> @@ -286,7 +286,7 @@ object
>        add_arg "--newstyle";         (* use newstyle NBD protocol *)
>        add_arg "--exportname"; add_arg "/";
>        if have_selinux then (        (* label the socket so qemu can open it *)
> -        add_arg "--selinux-label"; add_arg "system_u:object_r:svirt_t:s0"
> +        add_arg "--selinux-label"; add_arg "system_u:object_r:svirt_socket_t:s0"
>        );
>  
>        (* Name of the plugin.  Everything following is a plugin parameter. *)
> diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml
> index 0709c8152c4e..5bc6a400725b 100644
> --- a/v2v/output_rhv_upload.ml
> +++ b/v2v/output_rhv_upload.ml
> @@ -213,7 +213,7 @@ See also the virt-v2v-output-rhv(1) manual.")
>      let args =
>        (* label the socket so qemu can open it *)
>        if have_selinux then
> -        args @ ["--selinux-label"; "system_u:object_r:svirt_t:s0"]
> +        args @ ["--selinux-label"; "system_u:object_r:svirt_socket_t:s0"]
>        else args in
>      args in
>  
> -- 
> 2.21.0

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

More information about the Libguestfs mailing list