mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 17:34:18 +03:00
Fix parsing of SELinux ranges without a category
Normally libvirtd should run with a SELinux label system_u:system_r:virtd_t:s0-s0:c0.c1023 If a user manually runs libvirtd though, it is sometimes possible to get into a situation where it is running system_u:system_r:init_t:s0 The SELinux security driver isn't expecting this and can't parse the security label since it lacks the ':c0.c1023' part causing it to complain internal error Cannot parse sensitivity level in s0 This updates the parser to cope with this, so if no category is present, libvirtd will hardcode the equivalent of c0.c1023. Now this won't work if SELinux is in Enforcing mode, but that's not an issue, because the user can only get into this problem if in Permissive mode. This means they can now start VMs in Permissive mode without hitting that parsing error Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
parent
4a92fe4413
commit
1732c1c629
@ -159,6 +159,20 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
|
|||||||
return mcs;
|
return mcs;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This needs to cope with several styles of range
|
||||||
|
*
|
||||||
|
* system_u:system_r:virtd_t:s0
|
||||||
|
* system_u:system_r:virtd_t:s0-s0
|
||||||
|
* system_u:system_r:virtd_t:s0-s0:c0.c1023
|
||||||
|
*
|
||||||
|
* In the first two cases, we'll assume c0.c1023 for
|
||||||
|
* the category part, since that's what we're really
|
||||||
|
* interested in. This won't work in Enforcing mode,
|
||||||
|
* but will prevent libvirtd breaking in Permissive
|
||||||
|
* mode when run with a wierd process label.
|
||||||
|
*/
|
||||||
static int
|
static int
|
||||||
virSecuritySELinuxMCSGetProcessRange(char **sens,
|
virSecuritySELinuxMCSGetProcessRange(char **sens,
|
||||||
int *catMin,
|
int *catMin,
|
||||||
@ -166,7 +180,8 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
|
|||||||
{
|
{
|
||||||
security_context_t ourSecContext = NULL;
|
security_context_t ourSecContext = NULL;
|
||||||
context_t ourContext = NULL;
|
context_t ourContext = NULL;
|
||||||
char *cat, *tmp;
|
char *cat = NULL;
|
||||||
|
char *tmp;
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
|
|
||||||
if (getcon_raw(&ourSecContext) < 0) {
|
if (getcon_raw(&ourSecContext) < 0) {
|
||||||
@ -186,20 +201,25 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Find and blank out the category part */
|
/* Find and blank out the category part (if any) */
|
||||||
if (!(tmp = strchr(*sens, ':'))) {
|
tmp = strchr(*sens, ':');
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
if (tmp) {
|
||||||
_("Cannot parse sensitivity level in %s"),
|
*tmp = '\0';
|
||||||
*sens);
|
cat = tmp + 1;
|
||||||
goto cleanup;
|
|
||||||
}
|
}
|
||||||
*tmp = '\0';
|
|
||||||
cat = tmp + 1;
|
|
||||||
/* Find and blank out the sensitivity upper bound */
|
/* Find and blank out the sensitivity upper bound */
|
||||||
if ((tmp = strchr(*sens, '-')))
|
if ((tmp = strchr(*sens, '-')))
|
||||||
*tmp = '\0';
|
*tmp = '\0';
|
||||||
/* sens now just contains the sensitivity lower bound */
|
/* sens now just contains the sensitivity lower bound */
|
||||||
|
|
||||||
|
/* If there was no category part, just assume c0.c1024 */
|
||||||
|
if (!cat) {
|
||||||
|
*catMin = 0;
|
||||||
|
*catMax = 1024;
|
||||||
|
ret = 0;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
/* Find & extract category min */
|
/* Find & extract category min */
|
||||||
tmp = cat;
|
tmp = cat;
|
||||||
if (tmp[0] != 'c') {
|
if (tmp[0] != 'c') {
|
||||||
|
@ -296,6 +296,18 @@ mymain(void)
|
|||||||
ret = -1; \
|
ret = -1; \
|
||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
|
DO_TEST_GEN_LABEL("dynamic unconfined, s0, c0.c1023",
|
||||||
|
"unconfined_u:unconfined_r:unconfined_t:s0",
|
||||||
|
true, NULL, NULL,
|
||||||
|
"unconfined_u", "unconfined_r", "object_r",
|
||||||
|
"svirt_t", "svirt_image_t",
|
||||||
|
0, 0, 0, 1023);
|
||||||
|
DO_TEST_GEN_LABEL("dynamic unconfined, s0, c0.c1023",
|
||||||
|
"unconfined_u:unconfined_r:unconfined_t:s0-s0",
|
||||||
|
true, NULL, NULL,
|
||||||
|
"unconfined_u", "unconfined_r", "object_r",
|
||||||
|
"svirt_t", "svirt_image_t",
|
||||||
|
0, 0, 0, 1023);
|
||||||
DO_TEST_GEN_LABEL("dynamic unconfined, s0, c0.c1023",
|
DO_TEST_GEN_LABEL("dynamic unconfined, s0, c0.c1023",
|
||||||
"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
|
"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
|
||||||
true, NULL, NULL,
|
true, NULL, NULL,
|
||||||
|
Loading…
Reference in New Issue
Block a user