[libvirt] Printing runtime DAC seclabel in the XML
Cole Robinson
crobinso at redhat.com
Thu Apr 21 14:16:41 UTC 2016
On 04/21/2016 06:08 AM, Martin Kletzander wrote:
> On Wed, Apr 20, 2016 at 07:57:05PM -0400, Cole Robinson wrote:
>> I'm looking in the code to see why runtime VM dac seclabel values aren't
>> printed in the active XML. They are filled in, but the domain XML formatter
>> explicitly skips it:
>>
>> /* To avoid backward compatibility issues, suppress DAC and 'none' labels
>> * that are automatically generated.
>> */
>> if ((STREQ_NULLABLE(def->model, "dac") ||
>> STREQ_NULLABLE(def->model, "none")) && def->implicit)
>> return;
>>
>> The relevant bit is from here:
>>
>> commit 990e46c4542349f838e001d30638872576c389e9
>> Author: Marcelo Cerri <mhcerri at linux.vnet.ibm.com>
>> Date: Fri Aug 31 13:40:41 2012 +0200
>>
>> conf: Avoid formatting auto-generated DAC labels
>>
>> And I think comment elsewhere in domain_conf.c explains what that's all about:
>>
>> /* libvirt versions prior to 0.10.0 support just a single seclabel element
>> * in guest's XML and model attribute can be suppressed if type is none or
>> * type is dynamic, baselabel is not defined and INACTIVE flag is set.
>> *
>> * To avoid compatibility issues, for this specific case the first model
>> * defined in host's capabilities is used as model for the seclabel.
>> */
>>
>> Just dropping the the model == "dac" check above seems to accomplish what I'm
>> after, but it's not strictly back compatible. That said, libvirt has supported
>
> I think this has nothing to do with backward compatibility, but forward
> compatibility (which we care about for "some" time).
>
That's not my reading of the patch + thread. I think it was that new libvirt
starting printing two <seclabel> blocks for active XML. If you then do a
managedsave, downgrade libvirt, and attempt a restore (or live migration to an
older version), old libvirt errors when it sees 2 <seclabel> blocks. So back
compat here to me meant 'generate XML that old libvirt will accept'
> What are you trying to achieve? It works for me, the default seclabel
> is not exposed, but if I change it, it is dumped for running, shut-off
> or whatever domain there is.
>
the issue: start a VM with no explicit seclabel config, dump the running XML,
you'll see something like this:
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>unconfined_u:unconfined_r:svirt_t:s0:c325,c747</label>
<imagelabel>unconfined_u:object_r:svirt_image_t:s0:c325,c747</imagelabel>
</seclabel>
but no <seclabel> block for DAC labels, which seems inconsistent
>> multiple seclabels for a loooong time now, so I wonder do we even care? Do we
>
> Probably migration to older versions, but I'm not sure that there's that
> many people who care about it. And it won't work because of other
> things too -- I think it's just not supported use-case anyway.
>
>> have a target for how far back we try to maintain XML compat? Or does anyone
>> else have other ideas?
>>
>
> Back-compat has now something like a 10½ years now and I think it will
> reach around 15 in next 5 years...
>
I should have been more explicit. Certainly for things like XML input we aim
to maintain back compat to the beginning, which is why tools like virt-install
can reliably work across versions.
In this case though I meant XML output back compat/migration back compat: do
we still think it's a worthy goal to maintain XML output compat with libvirt
<= 0.10.0 ? (and if so, I imagine there's a better place to handle this...
somewhere migration specific? but I'm not really familiar with the latest
infrastructure for that)
- Cole
More information about the libvir-list
mailing list