On 04.11.2016 17:32, Martin Pitt wrote:
> Hello Michal,
>
> Michal Privoznik [2016-11-04 8:47 +0100]:
>> That means that whenever a VM is being started up, libvirtd (our
>> daemon we have) relabels all the necessary paths that QEMU process
>> (representing VM) can touch.
>
> Does that mean it's shipping an udev rule that does that? Or actually
> listens to uevents by itself (possibly via libudev) and applies the
> labels?
No. At the domain startup phase we know all the devices (paths) domain
is configured to have. So we iterate over them and
chown()/setfilecon_raw() over them.
BTW: domains is how we refer to VMs in libvirt terminology.
>
>> However, I'm facing an issue that I don't know how to fix. In some cases
>> QEMU can close & reopen a block device. However, closing a block device
>> triggers an event and hence if there is a rule that sets a security
>> label on a device the QEMU process is unable to reopen the device again.
>
> Is that triggering the above libvirtd action (in the daemon via
> libudev or via an udev rule), or is that something else?
No, it's triggering other rules that user may already have. For instance:
# cat /etc/udev/rules.d/51-qemu.rules
KERNEL=="sd*", GROUP="qemu"
>
>> My question is, whet we can do to prevent udev from mangling with our
>> security labels that we've set on the devices?
>
> Sorry for my ignorance, but my question in return is: What's the udev
> rule that mangles with it in the first place? I don't see any such
> rule in upstream systemd or in Debian/Ubuntu, but it's of course
> possible that Fedora ships such a rule via another package.
Frankly, I have no idea where does the rule come from either. But no
matter what I guess we should have a way to skip devices assigned to a
domain when it comes to rules execution.
>
>> One of the ideas our lead developer had was for libvirt to set some kind
>> of udev label on devices managed by libvirt (when setting up security
>> labels) and then whenever udev sees such labelled device it won't touch
>> it at all (this could be achieved by a rule perhaps?). Later, when
>> domain is shutting down libvirt removes that label. But I don't think
>> setting an arbitrary label on devices is supported, is it?
>
> It actually is -- they are called "tags" (TAG+=) and "properties"
> (ENV{PROPNAME}="foo"), see udev(7). So indeed the most straightforward
> way would be to tag or set a property on those devices which you want
> to handle in libvirtd yourself, and then add something like
>
> TAG=="libvirtd", GOTO="skip_selinux_context"
> [... original rule that changes context goes here ..]
> LABEL="skip_selinux_context"
I fear that this will not work because other rule may have already
changed the label. BTW: I don't see an API to add tag to a device. I
only see API to check if device has given tag. Libvirt's written in C so
something like udev_device_add_tag() is needed if we were to go with
tags (which again I think it's not helpful enough).
Michal
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list