[libvirt] [PATCH] security_selinux: Don't relabel /dev/net/tun
Eric Blake
eblake at redhat.com
Tue Oct 7 15:19:43 UTC 2014
On 10/07/2014 08:53 AM, Michal Privoznik wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1147057
>
> The code for relabelling the TAP FD is there due to a race. When
> libvirt creates a /dev/tapN device it's labeled as
> 'system_u:object_r:device_t:s0' by default. Later, when
> udev/systemd reacts to this device, it's relabelled to the
> expected label 'system_u:object_r:tun_tap_device_t:s0'. Hence, we
> have a code that relabels the device, to cut the race down. For
> more info see ae368ebfcc4.
>
> But the problem is, the relabel function is called on all TUN/TAP
> devices. Yes, on /dev/net/tun too. This is however a special kind
> of device - other processes uses it too. We shouldn't touch it's
> label then.
>
> Ideally, there would an API in SELinux that would label just the
> passed FD and not the underlying path. That way, we wouldn't need
> to care as we would be not labeling /dev/net/tun but the FD
> passed to the domain. Unfortunately, there's no such API so we
> have to workaround until then.
>
> +
> + if (!STRPREFIX(fd_path, "/dev/tap")) {
Should this be "/dev/tap.", since...
> + VIR_DEBUG("fd=%d points to %s not setting SELinux label",
> + fd, fd_path);
> + rc = 0;
> + goto cleanup;
> + }
> +
> if (getContext(mgr, "/dev/tap.*", buf.st_mode, &fcon) < 0) {
...you require a '.' in the context lookup? Without the '.' in the
filter, you would let the (unlikely) name '/dev/tapX' get through.
ACK with that tweaked.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 539 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141007/0a342495/attachment-0001.sig>
More information about the libvir-list
mailing list