security: selinux: Handle security labelling of FD-passed images

Unfortunately unlike with DAC we can't simply ignore labelling for the
FD and it also influences the on-disk state.

Thus we need to relabel the FD and we also store the existing label in
cases when the user will request best-effort label replacement.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>

diff --git a/src/conf/storage_source_conf.c b/src/conf/storage_source_conf.c
index 1c11eacb9dbfecfd18f73ca392b47f1783e50d02..cecd7e811ef7a471a98675c1db0455fa7f40f62c 100644 (file)
--- a/src/conf/storage_source_conf.c
+++ b/src/conf/storage_source_conf.c
@@ -1399,6 +1399,7 @@ virStorageSourceFDTupleFinalize(GObject *object)
 
     g_free(fdt->fds);
     g_free(fdt->testfds);
+    g_free(fdt->selinuxLabel);
     G_OBJECT_CLASS(vir_storage_source_fd_tuple_parent_class)->finalize(object);
 }
 

diff --git a/src/conf/storage_source_conf.h b/src/conf/storage_source_conf.h
index f981261ff462e025abbd00c27bf99b90d37db2ad..14a6825d54cb2732acf5156579f925cf36f8c81f 100644 (file)
--- a/src/conf/storage_source_conf.h
+++ b/src/conf/storage_source_conf.h
@@ -269,6 +269,9 @@ struct _virStorageSourceFDTuple {
 
     /* connection this FD tuple is associated with for auto-closing */
     virConnect *conn;
+
+    /* original selinux label when we relabel the image */
+    char *selinuxLabel;
 };
 G_DECLARE_FINAL_TYPE(virStorageSourceFDTuple, vir_storage_source_fd_tuple, VIR, STORAGE_SOURCE_FD_TUPLE, GObject);
 

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 93cc12407a60c91d96c0e7c2e764aff4d63f505f..a42d86216a5e4b980220984bbde7d7cc4a181026 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1741,6 +1741,19 @@ virSecuritySELinuxRestoreImageLabelSingle(virSecurityManager *mgr,
     if (src->readonly || src->shared)
         return 0;
 
+    if (virStorageSourceIsFD(src)) {
+        if (migrated)
+            return 0;
+
+        if (!src->fdtuple ||
+            !src->fdtuple->selinuxLabel ||
+            src->fdtuple->nfds == 0)
+            return 0;
+
+        ignore_value(virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0],
+                                                   src->fdtuple->selinuxLabel));
+        return 0;
+    }
 
     /* If we have a shared FS and are doing migration, we must not change
      * ownership, because that kills access on the destination host which is
@@ -1888,7 +1901,24 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr,
         path = vfioGroupDev;
     }
 
-    ret = virSecuritySELinuxSetFilecon(mgr, path, use_label, remember);
+    if (virStorageSourceIsFD(src)) {
+        /* We can only really do labelling when we have the FD as the path
+         * may not be accessible for us */
+        if (!src->fdtuple || src->fdtuple->nfds == 0)
+            return 0;
+
+        /* force a writable label for the image if requested */
+        if (src->fdtuple->writable && secdef->imagelabel)
+            use_label = secdef->imagelabel;
+
+        /* store the existing selinux label for the image */
+        if (!src->fdtuple->selinuxLabel)
+            fgetfilecon_raw(src->fdtuple->fds[0], &src->fdtuple->selinuxLabel);
+
+        ret = virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0], use_label);
+    } else {
+        ret = virSecuritySELinuxSetFilecon(mgr, path, use_label, remember);
+    }
 
     if (ret == 1 && !disk_seclabel) {
         /* If we failed to set a label, but virt_use_nfs let us