Fix parsing of SELinux ranges without a category

Normally libvirtd should run with a SELinux label

  system_u:system_r:virtd_t:s0-s0:c0.c1023

If a user manually runs libvirtd though, it is sometimes
possible to get into a situation where it is running

  system_u:system_r:init_t:s0

The SELinux security driver isn't expecting this and can't
parse the security label since it lacks the ':c0.c1023' part
causing it to complain

  internal error Cannot parse sensitivity level in s0

This updates the parser to cope with this, so if no category
is present, libvirtd will hardcode the equivalent of c0.c1023.

Now this won't work if SELinux is in Enforcing mode, but that's
not an issue, because the user can only get into this problem
if in Permissive mode. This means they can now start VMs in
Permissive mode without hitting that parsing error

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 1732c1c62997b9f5ce39e5eb4d1ef2f842af73e1)

Conflicts:
	src/security/security_selinux.c

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index b539ce097d6ca5178861bd1f896e985badeed665..24615db7d84bf7939834b8fee7035f00f311bd27 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -159,6 +159,20 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
     return mcs;
 }
 
+
+/*
+ * This needs to cope with several styles of range
+ *
+ * system_u:system_r:virtd_t:s0
+ * system_u:system_r:virtd_t:s0-s0
+ * system_u:system_r:virtd_t:s0-s0:c0.c1023
+ *
+ * In the first two cases, we'll assume c0.c1023 for
+ * the category part, since that's what we're really
+ * interested in. This won't work in Enforcing mode,
+ * but will prevent libvirtd breaking in Permissive
+ * mode when run with a wierd process label.
+ */
 static int
 virSecuritySELinuxMCSGetProcessRange(char **sens,
                                      int *catMin,
@@ -166,7 +180,8 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
 {
     security_context_t ourSecContext = NULL;
     context_t ourContext = NULL;
-    char *cat, *tmp;
+    char *cat = NULL;
+    char *tmp;
     int ret = -1;
 
     if (getcon_raw(&ourSecContext) < 0) {
@@ -186,20 +201,25 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
         goto cleanup;
     }
 
-    /* Find and blank out the category part */
-    if (!(tmp = strchr(*sens, ':'))) {
-        virReportError(VIR_ERR_INTERNAL_ERROR,
-                       _("Cannot parse sensitivity level in %s"),
-                       *sens);
-        goto cleanup;
+    /* Find and blank out the category part (if any) */
+    tmp = strchr(*sens, ':');
+    if (tmp) {
+        *tmp = '\0';
+        cat = tmp + 1;
     }
-    *tmp = '\0';
-    cat = tmp + 1;
     /* Find and blank out the sensitivity upper bound */
     if ((tmp = strchr(*sens, '-')))
         *tmp = '\0';
     /* sens now just contains the sensitivity lower bound */
 
+    /* If there was no category part, just assume c0.c1024 */
+    if (!cat) {
+        *catMin = 0;
+        *catMax = 1024;
+        ret = 0;
+        goto cleanup;
+    }
+
     /* Find & extract category min */
     tmp = cat;
     if (tmp[0] != 'c') {

diff --git a/tests/securityselinuxtest.c b/tests/securityselinuxtest.c
index 0fa70ba9a9ef349f7d47c15877c9347a2a5cd120..99565e6c945fe39fba5d4f7eaf2978402215b8bb 100644 (file)
--- a/tests/securityselinuxtest.c
+++ b/tests/securityselinuxtest.c
@@ -296,6 +296,18 @@ mymain(void)
             ret = -1;                                                   \
     } while (0)
 
+    DO_TEST_GEN_LABEL("dynamic unconfined, s0, c0.c1023",
+                      "unconfined_u:unconfined_r:unconfined_t:s0",
+                      true, NULL, NULL,
+                      "unconfined_u", "unconfined_r", "object_r",
+                      "svirt_t", "svirt_image_t",
+                      0, 0, 0, 1023);
+    DO_TEST_GEN_LABEL("dynamic unconfined, s0, c0.c1023",
+                      "unconfined_u:unconfined_r:unconfined_t:s0-s0",
+                      true, NULL, NULL,
+                      "unconfined_u", "unconfined_r", "object_r",
+                      "svirt_t", "svirt_image_t",
+                      0, 0, 0, 1023);
     DO_TEST_GEN_LABEL("dynamic unconfined, s0, c0.c1023",
                       "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
                       true, NULL, NULL,