Re: [PATCH] qemu_process: Release domain seclabel later in qemuProcessStop()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 09, 2020 at 11:26:52AM +0100, Michal Privoznik wrote:
> Some secdrivers (typically SELinux driver) generate unique
> dynamic seclabel for each domain (unless a static one is
> requested in domain XML). This is achieved by calling
> qemuSecurityGenLabel() from qemuProcessPrepareDomain() which
> allocates unique seclabel and stores it in domain def->seclabels.
> The counterpart is qemuSecurityReleaseLabel() which releases the
> label and removes it from def->seclabels. Problem is, that with
> current code the qemuProcessStop() may still want to use the
> seclabel after it was released, e.g. when it wants to restore the
> label of a disk mirror.
> 
> What is happening now, is that in qemuProcessStop() the
> qemuSecurityReleaseLabel() is called, which removes the SELinux
> seclabel from def->seclabels, yada yada yada and eventually
> qemuSecurityRestoreImageLabel() is called. This bubbles down to
> virSecuritySELinuxRestoreImageLabelSingle() which find no SELinux
> seclabel (using virDomainDefGetSecurityLabelDef()) and this
> returns early doing nothing.
> 
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1751664
> Fixes: 8fa0374c5b8e834fcbdeae674cc6cc9e6bf9019f
> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> ---
>  src/qemu/qemu_process.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux