Re: [PATCH] security_selinux.c: Relabel existing mode="bind" UNIX sockets

Michal Prívozník <mprivozn@xxxxxxxxxx> · Fri, 1 Jul 2022 14:54:04 +0200

On 6/28/22 14:33, David Michael wrote:
> This supports sockets created by libvirt and passed by FD using the
> same method as in security_dac.c.
> 
> Signed-off-by: David Michael <david@xxxxxxxxxxxxxxxxxxxxxx>
> ---
> 
> Hi,
> 
> Custom SELinux labels are not applied to sockets when they have
> mode="bind", but other security models (DAC) allow changing these
> sockets.  Can the same method be used to support SELinux?
> 
> Thanks.
> 
> David
> 
>  src/security/security_selinux.c            | 6 ++++--
>  tests/securityselinuxlabeldata/chardev.txt | 2 +-
>  2 files changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index e2f34a27dc..8b258c9e36 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -2541,7 +2541,9 @@ virSecuritySELinuxSetChardevLabel(virSecurityManager *mgr,
>          break;
>  
>      case VIR_DOMAIN_CHR_TYPE_UNIX:
> -        if (!dev_source->data.nix.listen) {
> +        if (!dev_source->data.nix.listen ||
> +            (dev_source->data.nix.path &&
> +             virFileExists(dev_source->data.nix.path))) {

I've copied the comment from corresponding _dac.c function, so that it's
obvious why we are relabelling in this case too.

>              if (virSecuritySELinuxSetFilecon(mgr,
>                                               dev_source->data.nix.path,
>                                               imagelabel,
> @@ -2618,7 +2620,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManager *mgr,
>      case VIR_DOMAIN_CHR_TYPE_UNIX:
>          if (!dev_source->data.nix.listen) {
>              if (virSecuritySELinuxRestoreFileLabel(mgr,
> -                                                   dev_source->data.file.path,
> +                                                   dev_source->data.nix.path,
>                                                     true) < 0)
>                  goto done;
>          }
> diff --git a/tests/securityselinuxlabeldata/chardev.txt b/tests/securityselinuxlabeldata/chardev.txt
> index 3f4b6302b9..bdb367f7a5 100644
> --- a/tests/securityselinuxlabeldata/chardev.txt
> +++ b/tests/securityselinuxlabeldata/chardev.txt
> @@ -2,6 +2,6 @@
>  /plain.dev;system_u:object_r:svirt_image_t:s0:c41,c264
>  /plain.fifo;system_u:object_r:svirt_image_t:s0:c41,c264
>  /nolabel.sock;
> -/plain.sock;
> +/plain.sock;system_u:object_r:svirt_image_t:s0:c41,c264
>  /yeslabel.sock;system_u:object_r:svirt_image_t:s0:c41,c264
>  /altlabel.sock;system_u:object_r:svirt_image_custom_t:s0:c41,c264

Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx>

and pushed. Congratulations on your first libvirt contribution!

Michal