xenbits.xensource.com Git - people/liuw/libxenctrl-split/libvirt.git/commit

author	Guannan Ren <gren@redhat.com>
	Mon, 15 Oct 2012 09:03:49 +0000 (17:03 +0800)
committer	Guannan Ren <gren@redhat.com>
	Mon, 15 Oct 2012 13:01:07 +0000 (21:01 +0800)
commit	ae368ebfcc4923d0b32e83d4ca96a6f599625785
tree	9c4c65c96bb65735e7957895ecb62566701d7b3f	tree
parent	7ba5defb5a34bb82de2f16467c2b8d157cd14d2d	commit \| diff

selinux: add security selinux function to label tapfd

BZ:https://bugzilla.redhat.com/show_bug.cgi?id=851981
When using macvtap, a character device gets first created by
kernel with name /dev/tapN, its selinux context is:
system_u:object_r:device_t:s0

Shortly, when udev gets notification when new file is created
in /dev, it will then jump in and relabel this file back to the
expected default context:
system_u:object_r:tun_tap_device_t:s0

There is a time gap happened.
Sometimes, it will have migration failed, AVC error message:
type=AVC msg=audit(1349858424.233:42507): avc: denied { read write } for
pid=19926 comm="qemu-kvm" path="/dev/tap33" dev=devtmpfs ino=131524
scontext=unconfined_u:system_r:svirt_t:s0:c598,c908
tcontext=system_u:object_r:device_t:s0 tclass=chr_file

This patch will label the tapfd device before qemu process starts:
system_u:object_r:tun_tap_device_t:MCS(MCS from seclabel->label)

src/libvirt_private.syms		diff \| blob \| blame \| history
src/qemu/qemu_command.c		diff \| blob \| blame \| history
src/security/security_apparmor.c		diff \| blob \| blame \| history
src/security/security_dac.c		diff \| blob \| blame \| history
src/security/security_driver.h		diff \| blob \| blame \| history
src/security/security_manager.c		diff \| blob \| blame \| history
src/security/security_manager.h		diff \| blob \| blame \| history
src/security/security_nop.c		diff \| blob \| blame \| history
src/security/security_selinux.c		diff \| blob \| blame \| history
src/security/security_stack.c		diff \| blob \| blame \| history