[libvirt] [PATCH v3 12/14] security: Label the external swtpm with SELinux labels

Stefan Berger stefanb at linux.vnet.ibm.com
Wed May 9 21:04:57 UTC 2018


On 05/08/2018 05:28 PM, John Ferlan wrote:
>
> On 05/04/2018 04:21 PM, Stefan Berger wrote:
>> In this patch we label the swtpm process with SELinux labels. We give it the
>> same label as the QEMU process has. We label its state directory and files
>> as well.
>>
>> The file and process labels now look as follows:
>>
>> Directory: /var/lib/libvirt/swtpm
>>
>> [root at localhost swtpm]# ls -lZ
>> total 4
>> rwx------. 2 tss  tss  system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr  5 16:46 testvm
>>
>> [root at localhost testvm]# ls -lZ
>> total 8
>> -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr  5 16:46 tpm-00.permall
>>
>> The log in /var/log/swtpm/libvirt/qemu is labeled as follows:
>>
>> -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr  5 16:46 vtpm.log
>>
>> [root at localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep
>> system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0  0.0 28172  3892 ?        Ss   16:57   0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log
>>
>> [root at localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep
>> system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0  0.0 3096704 48500 ?    Sl   16:57   3:28 /bin/qemu-system-x86_64 [..]
>>
>> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
>> ---
>>   src/libvirt_private.syms        |  1 +
>>   src/qemu/qemu_extdevice.c       | 22 ++++++++++-
>>   src/security/security_driver.h  |  4 ++
>>   src/security/security_manager.c | 17 +++++++++
>>   src/security/security_manager.h |  3 ++
>>   src/security/security_selinux.c | 82 +++++++++++++++++++++++++++++++++++++++++
>>   src/security/security_stack.c   | 19 ++++++++++
>>   7 files changed, 147 insertions(+), 1 deletion(-)
>>
> I think this looks OK - not my specialty 0-) though.  I see
> security_manager, selinux, etc. and my eyes start glazing over!
>
> Anyway, I assume the reason there's no Restore processing is because
> everything is deleted at shutdown, right?

No, the restore functions were missing. Added them now.

   Stefan




More information about the libvir-list mailing list