[libvirt] [PATCH v5 09/11] security: Label the external swtpm with SELinux labels

John Ferlan jferlan at redhat.com
Mon May 21 22:33:11 UTC 2018 


On 05/15/2018 08:26 PM, Stefan Berger wrote:
> In this patch we label the swtpm process with SELinux labels. We give it the
> same label as the QEMU process has. We label its state directory and files
> as well. We restore the old security labels once the swtpm has terminated.
> 
> The file and process labels now look as follows:
> 
> Directory: /var/lib/libvirt/swtpm
> 
> [root at localhost swtpm]# ls -lZ
> total 4
> rwx------. 2 tss  tss  system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr  5 16:46 testvm
> 
> [root at localhost testvm]# ls -lZ
> total 8
> -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr  5 16:46 tpm-00.permall
> 
> The log in /var/log/swtpm/libvirt/qemu is labeled as follows:
> 
> -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr  5 16:46 vtpm.log
> 
> [root at localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep
> system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0  0.0 28172  3892 ?        Ss   16:57   0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log
> 
> [root at localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep
> system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0  0.0 3096704 48500 ?    Sl   16:57   3:28 /bin/qemu-system-x86_64 [..]
> 
> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
> ---
>  src/libvirt_private.syms        |   2 +
>  src/qemu/qemu_security.c        |  69 +++++++++++++++++
>  src/qemu/qemu_security.h        |  11 +++
>  src/qemu/qemu_tpm.c             |  12 ++-
>  src/security/security_driver.h  |   7 ++
>  src/security/security_manager.c |  36 +++++++++
>  src/security/security_manager.h |   6 ++
>  src/security/security_selinux.c | 164 ++++++++++++++++++++++++++++++++++++++++
>  src/security/security_stack.c   |  40 ++++++++++
>  9 files changed, 345 insertions(+), 2 deletions(-)
> 

Reviewed-by: John Ferlan <jferlan at redhat.com>

John

More information about the libvir-list mailing list