[libvirt] [PATCH] conf: Fix parsing of seclabels without model

Marcelo Cerri mhcerri at linux.vnet.ibm.com
Thu Aug 30 18:01:34 UTC 2012 

On 08/30/2012 02:12 PM, Jiri Denemark wrote:
> On Thu, Aug 30, 2012 at 13:19:31 -0300, Marcelo Cerri wrote:
>> With this patch libvirt tries to assign a model to seclabels when model
>> is missing. Libvirt will look up at host's capabilities and assign a
>> model in order to each seclabel that doesn't have a model assigned.
>>
>> This patch fixes:
>>
>> 1. The problem with existing guests that have a seclabel defined in its XML.
>> 2. A XML parse error when a guest is restored.
>>
>> Signed-off-by: Marcelo Cerri <mhcerri at linux.vnet.ibm.com>
>> ---
>>   src/conf/domain_conf.c | 56 ++++++++++++++++++++++++++------------------------
>>   1 file changed, 29 insertions(+), 27 deletions(-)
>
> I think this is trying to fix the issue at a wrong place. It's not that XML
> generated by older libvirtd is not correctly parsed by current libvirtd. The
> problem is that *current* libvirtd creates an XML that it cannot parse back.
> Thus we should rather fix the code that formats the XML.
>

I don't agree. If you save a domain using the latest libvirt and using 
an earlier version (I used v0.9.10) and then check the XML included in 
each save file, you'll see something similar to this for the latest 
libvirt version:

   ...
   </devices>
   <seclabel type='dynamic' model='selinux' relabel='yes'>
     <label>unconfined_u:system_r:svirt_t:s0:c323,c995</label>
 
<imagelabel>unconfined_u:object_r:svirt_image_t:s0:c323,c995</imagelabel>
   </seclabel>
   <seclabel type='dynamic' model='dac' relabel='yes'>
     <label>0:0</label>
     <imagelabel>0:0</imagelabel>
   </seclabel>
</domain>

And this for v0.9.10:

   ...
   </devices>
   <seclabel type='dynamic' model='selinux' relabel='yes'>
     <label>system_u:system_r:svirt_t:s0:c175,c437</label>
     <imagelabel>system_u:object_r:svirt_image_t:s0:c175,c437</imagelabel>
   </seclabel>
</domain>

The biggest difference is the seclabel for DAC.

> On that front, I'm concerned about migration compatibility of this new
> security driver code. If we just blindly emit <seclabel type='dynamic'
> model='dac' relabel='yes'> element into the XML, I'm pretty sure an older
> libvirtd will complain about it even though the element was not used to do
> anything special that would be done anyway (that is, if labels are the default
> qemu_user:qemu_group).
>

Not sure if I understood you point. I can't find a scenario that an 
older libvirtd will try to parse a XML generated by an earlier libvirtd 
version. I think that this will only happen if you save a guest, 
downgrade libvirt and then restore the guest.

> Jirka
>

More information about the libvir-list mailing list