On Tue, Feb 21, 2023 at 08:19:05PM +0100, Stefano Brivio wrote: > qemuSecurityCommandRun() causes an explicit domain transition of the > new process, but passt ships with its own SELinux policy, with > external interfaces for libvirtd, so we simply need to transition > from virtd_t to passt_t as passt is executed. The qemu type > enforcement rules have little to do with it. Can you clarify the difference here ? Runing passt under 'svirt_t' is not desirable as that allows many actions that are only relevant to QEMU. Running passt under the MCS label that is associated with the VM is highly desirable though. Two passt instances belonging to separate VMs are isolated from each other if they each use the VM specific MCS label, than if they use the global default MCS label. To use the VM specific MCS label would require libvirt to explicitly set the desired selinux label on exec, it can't happen automatically via an SELinux transition rule. We do stil want to use the passt_t type though. IOW, if we have a VM running svirt_t:s0:c710,c716 IMHO we would its corresponding passt instance to be running passt_t:s0:c710,c716 not passt_t:s0:c0.c1023 > > Usage of those new interfaces is implemented by this change in > selinux-policy: > https://github.com/fedora-selinux/selinux-policy/pull/1613 > > Replace qemuSecurityCommandRun() with virCommandRun(), which simply > does that: it runs the command. > > Fixes: a56f0168d576 ("qemu: hook up passt config to qemu domains") > Signed-off-by: Stefano Brivio <sbrivio@xxxxxxxxxx> > --- > src/qemu/qemu_passt.c | 7 +------ > 1 file changed, 1 insertion(+), 6 deletions(-) > > diff --git a/src/qemu/qemu_passt.c b/src/qemu/qemu_passt.c > index 1217a6a087..1a67cf44de 100644 > --- a/src/qemu/qemu_passt.c > +++ b/src/qemu/qemu_passt.c > @@ -158,8 +158,6 @@ qemuPasstStart(virDomainObj *vm, > g_autofree char *errbuf = NULL; > char macaddr[VIR_MAC_STRING_BUFLEN]; > size_t i; > - int exitstatus = 0; > - int cmdret = 0; > > cmd = virCommandNew(PASST); > > @@ -271,10 +269,7 @@ qemuPasstStart(virDomainObj *vm, > if (qemuExtDeviceLogCommand(driver, vm, cmd, "passt") < 0) > return -1; > > - if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, &exitstatus, &cmdret) < 0) > - goto error; > - > - if (cmdret < 0 || exitstatus != 0) { > + if (virCommandRun(cmd, NULL)) { > virReportError(VIR_ERR_INTERNAL_ERROR, > _("Could not start 'passt': %s"), NULLSTR(errbuf)); > goto error; > -- > 2.39.1 > With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
