[PATCH 2/2] selinux: Don't ignore ENOENT in Permissive mode
Michal Prívozník
mprivozn at redhat.com
Tue Sep 21 08:44:43 UTC 2021
On 9/20/21 5:57 PM, Ján Tomko wrote:
> On a Monday in 2021, Michal Privoznik wrote:
>> In selinux driver there's virSecuritySELinuxSetFileconImpl()
>> which is responsible for actual setting of SELinux label on given
>> file and handling possible failures. In fhe failure handling code
>> we decide whether failure is fatal or not. But there is a bug:
>> depending on SELinux mode (Permissive vs. Enforcing) the ENOENT
>> is either ignored or considered fatal.
>
>> This not correct - ENOENT
>> must always be fatal - QEMU will fail opening it anyways.
>>
>> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004850
>
> It won't get as far as trying to start QEMU. The error message in the
> linked bug:
> error: unable to stat: /var/lib/libvirt/images/slic.dat: No such file
> or directory
> comes from the DAC driver.
Correct. I should have rephrased that.
>
> IIUC in virSecurityStackTransactionCommit we happily commit the SELinux
> changes, fail to commit the DAC changes, but the rollback calling
> virSecurityManagerTransactionAbort does nothing.
Indeed.
>
> And since qemuSecuritySetAllLabel does not complete successfully,
> qemuProcessLaunch
> does not ask its callers to restore the labels.
Yes.
Michal
More information about the libvir-list
mailing list