[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 3/3] Fix parsing of SELinux ranges without a category



On 03/13/2013 12:04 PM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange redhat com>
> 
> Normally libvirtd should run with a SELinux label
> 
>   system_u:system_r:virtd_t:s0-s0:c0.c1023
> 
> If a user manually runs libvirtd though, it is sometimes
> possible to get into a situation where it is running
> 
>   system_u:system_r:init_t:s0
> 
> The SELinux security driver isn't expecting this and can't
> parse the security label since it lacks the ':c0.c1023' part
> causing it to complain
> 
>   internal error Cannot parse sensitivity level in s0
> 
> This updates the parser to cope with this, so if no category
> is present, libvirtd will hardcode the equivalent of c0.c1023.
> 
> Now this won't work if SELinux is in Enforcing mode, but that's
> not an issue, because the user can only get into this problem
> if in Permissive mode. This means they can now start VMs in
> Permissive mode without hitting that parsing error
> 
> Signed-off-by: Daniel P. Berrange <berrange redhat com>
> ---
>  src/security/security_selinux.c | 38 +++++++++++++++++++++++++++++---------
>  tests/securityselinuxtest.c     | 12 ++++++++++++
>  2 files changed, 41 insertions(+), 9 deletions(-)

ACK.


> + *
> + * In the first two cases, we'll assume c0.c1023 for
> + * the category part, since that's what we're really
> + * interested in. This won't work in Enforcing mode,
> + * but will prevent libvirtd breaking in Permissive
> + * mode when run with a wierd procss label.

s/wierd procss/weird process/

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]