[PATCH v2] selinux label: restore all labels when some labels fail to set
Michal Privoznik
mprivozn at redhat.com
Fri Nov 20 07:49:22 UTC 2020
On 11/19/20 3:54 PM, Jin Yan wrote:
>
> On 2020/11/13 22:33, Michal Privoznik wrote:
>> On 11/13/20 10:47 AM, Jin Yan wrote:
>>
>>> Hi Michal,
>>> I found this problem while performing migration, based on
>>> libvirt version: 6.2.0
>>> SELinux mode: permissive
>>>
>>> Steps:
>>> 1. start a vm configured with pipe-type serial port.
>>> <serial type='pipe'>
>>> <source path='/tmp/test_pipe'/>
>>> <target type='system-serial' port='1'>
>>> <model name='pl011'/>
>>> </target>
>>> </serial>
>>> 2. migrate vm to Dst-side where no '/tmp/test_pipe' exits.
>>> 3. migration failed in Dst-side qemuProcessLaunch, and the path's label
>>> that
>>> has been set is not restored ('/var/lib/libvirt/qemu/nvram/XXX.fd').
>>>
>>> I have no idea why 2)rollback you mentioned didn't work.
>>>
>>>
>> I'm not sure. I could not reproduce with the current master. Is it
>> possible for you to try the master?
>>
>> Michal
>
> I think we can reproduce it in a more easier way, that is, starting a VM
> whose XML is configured with a pipe file that does not exist on local host:
> <serial type='pipe'>
> <source path='/tmp/serial.pipe'/>
> <target port='0'/>
> </serial>
This is what I have in XML:
<serial type='pipe'>
<source path='/tmp/test_pipe'/>
<target type='isa-serial' port='0'>
<model name='isa-serial'/>
</target>
</serial>
and the file doesn't exist.
>
> 1. Though '/tmp/serial.pipe' does not exist, this secdriver (if I'm not
> mistaken about this concept) set SELinux-label return success, and the
> marked items (eg. XXX.fd, XXX.iso) will not be rollback.
>
> [call trace]:
> virSecuritySELinuxTransactionRun -- return 0
> virSecuritySELinuxSetFilecon -- return 0
> virSecuritySELinuxSetFileconImpl -- return 1, warned unable
> to ...
>
I don't get a warning. I get a regular error:
error: unable to set security context
'unconfined_u:object_r:svirt_image_t:s0:c339,c673' on '/tmp/test_pipe':
No such file or directory
> 2. The next secdriver about setting DAC-label run in
> virSecurityDACTransactionRun() return false because above file does not
> exist.
>
Oh I think get it now. So if one secdriver would fail but not the other
then because of transactions the rollback would be ineffective?
> virSecurityManagerTransactionCommit() return false, but where is the
> rollback performed for other secdrivers (here means setting
> SELinux-label in 1) ? I don't quite understand the second point you
> mentioned in your last reply:
> ---
> 2) rollback for other secdrivers after one failed is handled in
> virSecurityStackSetAllLabel().
> ---
>
> In addition, is there any wrong in virSecuritySELinuxTransactionRun
> return success while '/tmp/serial.pipe' does not exist?
I guess that is the source of problem. Have you tried the latest release
(or master)?
Michal
More information about the libvir-list
mailing list