From d6b8838dd83697f721fe0706068df765148154de Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C3=A1n=20Tomko?= Date: Thu, 27 Sep 2018 16:13:18 +0200 Subject: [PATCH] security: dac: also label listen UNIX sockets MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit We switched to opening mode='bind' sockets ourselves: commit 30fb2276d88b275dc2aad6ddd28c100d944b59a5 qemu: support passing pre-opened UNIX socket listen FD in v4.5.0-rc1~251 Then fixed qemuBuildChrChardevStr to change libvirtd's label while creating the socket: commit b0c6300fc42bbc3e5eb0b236392f7344581c5810 qemu: ensure FDs passed to QEMU for chardevs have correct SELinux labels v4.5.0-rc1~52 Also add labeling of these sockets to the DAC driver. Instead of duplicating the logic which decides whether libvirt should pre-create the socket, assume an existing path meaning that it was created by libvirt. https://bugzilla.redhat.com/show_bug.cgi?id=1633389 Signed-off-by: Ján Tomko Reviewed-by: Erik Skultety --- src/security/security_dac.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 62442745dd..da4a6c72fe 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1308,7 +1308,12 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr, break; case VIR_DOMAIN_CHR_TYPE_UNIX: - if (!dev_source->data.nix.listen) { + if (!dev_source->data.nix.listen || + (dev_source->data.nix.path && + virFileExists(dev_source->data.nix.path))) { + /* Also label mode='bind' sockets if they exist, + * e.g. because they were created by libvirt + * and passed via FD */ if (virSecurityDACSetOwnership(mgr, NULL, dev_source->data.nix.path, user, group) < 0) -- 2.47.2