[libvirt] [PATCH] virSecuritySELinuxSetTapFDLabel: Temporarily revert to old behavior
Cole Robinson
crobinso at redhat.com
Thu Sep 18 16:32:34 UTC 2014
On 09/18/2014 10:20 AM, Michal Privoznik wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1141879
>
> A long time ago I've implemented support for so called multiqueue
> net. The idea was to let guest network traffic be processed by
> multiple host CPUs and thus increasing performance. However, this
> behavior is enabled by QEMU via special ioctl() iterated over the
> all tap FDs passed in by libvirt. Unfortunately, SELinux comes in
> and disallows the ioctl() call because the /dev/net/tun has label
> system_u:object_r:tun_tap_device_t:s0 and 'attach_queue' ioctl()
> is not allowed on tun_tap_device_t type. So after discussion with
> a SELinux developer we've decided that the FDs passed to the QEMU
> should be labelled with svirt_t type and SELinux policy will
> allow the ioctl(). Therefore I've made a patch
> (cf976d9dcf4e592261b14f03572) that does exactly this. However,
> things are not that easy - even though the API to label FD is
> called (fsetfilecon_raw) the underlying file is labelled too! So
> effectively we are mangling /dev/net/tun label. Yes, that broke
> dozen of other application from openvpn, or boxes, to qemu
> running other domains.
>
> The best solution would be if SELinux provides a way to label an
> FD only, which could be then labeled when passed to the qemu.
> However that's a long path to go and we should fix this
> regression AQAP. So I went to talk to the SELinux developer again
> and we agreed on temporary solution that:
>
> 1) my patch is reverted
> 2) SELinux temporarily allows 'attach_queue' on the
> tun_tap_device_t
>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
ACK
- Cole
More information about the libvir-list
mailing list