[PATCH] security_selinux.c: Relabel existing mode="bind" UNIX sockets

Daniel P. Berrangé berrange at redhat.com
Tue Jun 28 21:13:01 UTC 2022 

On Tue, Jun 28, 2022 at 05:00:06PM -0400, David Michael wrote:
> On Tue, Jun 28, 2022 at 4:14 PM Martin Kletzander <mkletzan at redhat.com> wrote:
> > On Tue, Jun 28, 2022 at 10:18:25AM -0400, David Michael wrote:
> > >On Tue, Jun 28, 2022 at 10:03 AM Daniel P. Berrangé <berrange at redhat.com> wrote:
> > >> On Tue, Jun 28, 2022 at 08:33:41AM -0400, David Michael wrote:
> > >> > This supports sockets created by libvirt and passed by FD using the
> > >> > same method as in security_dac.c.
> > >> >
> > >> > Signed-off-by: David Michael <david at bigbadwolfsecurity.com>
> > >> > ---
> > >> >
> > >> > Hi,
> > >> >
> > >> > Custom SELinux labels are not applied to sockets when they have
> > >> > mode="bind", but other security models (DAC) allow changing these
> > >> > sockets.  Can the same method be used to support SELinux?
> > >>
> > >> This is rather intriguing. There must have been some compelling
> > >> reason why we intentionally skipped listener sockets for SELinux
> > >> labelling originally, but I'm struggling to recall what it could
> > >> have been. Conceptually it makes sense to want to label the
> > >> listener sockets with the per-VM label.
> > >>
> >
> > Could it be that we only thought about the scenario of someone
> > connecting to the socket (and the fact that it matters more what the
> > actual socket label is rather than its file representation) but did not
> > think about other possibilities, e.g. QEMU rewriting the socket (because
> > we remove it before starting or any other reason) or some custom policy?
> 
> I checked the Git history for when DAC made the change, which has some
> further links for context:
> 
> https://gitlab.com/libvirt/libvirt/-/commit/d6b8838dd83697f721fe0706068df765148154de
> 
> It looks like socket DAC relabeling was added shortly after libvirt
> started creating the sockets to pass as FDs within the last few years,
> but the related SELinux socket code hasn't been modified since it was
> added a decade ago.  Seems like it just got left behind after that
> change?

Yeah that looks like the cause. Originally when QEMU invoked the
bind() + listen(), it would inherit labelling, so we wouldn't need
todo anything special ourselves. When we switched to creating it
ourselves & passing the FD we broke that implicit behaviour we
relied on.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list