[libvirt] [PATCH 3/3] Fix parsing of SELinux ranges without a category
Eric Blake
eblake at redhat.com
Wed Mar 13 22:37:55 UTC 2013
On 03/13/2013 12:04 PM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
>
> Normally libvirtd should run with a SELinux label
>
> system_u:system_r:virtd_t:s0-s0:c0.c1023
>
> If a user manually runs libvirtd though, it is sometimes
> possible to get into a situation where it is running
>
> system_u:system_r:init_t:s0
>
> The SELinux security driver isn't expecting this and can't
> parse the security label since it lacks the ':c0.c1023' part
> causing it to complain
>
> internal error Cannot parse sensitivity level in s0
>
> This updates the parser to cope with this, so if no category
> is present, libvirtd will hardcode the equivalent of c0.c1023.
>
> Now this won't work if SELinux is in Enforcing mode, but that's
> not an issue, because the user can only get into this problem
> if in Permissive mode. This means they can now start VMs in
> Permissive mode without hitting that parsing error
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
> src/security/security_selinux.c | 38 +++++++++++++++++++++++++++++---------
> tests/securityselinuxtest.c | 12 ++++++++++++
> 2 files changed, 41 insertions(+), 9 deletions(-)
ACK.
> + *
> + * In the first two cases, we'll assume c0.c1023 for
> + * the category part, since that's what we're really
> + * interested in. This won't work in Enforcing mode,
> + * but will prevent libvirtd breaking in Permissive
> + * mode when run with a wierd procss label.
s/wierd procss/weird process/
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130313/f173445d/attachment-0001.sig>
More information about the libvir-list
mailing list