|
 |
aff97e |
From cbbccd865f4c3f630e89b4270a036bfb3f76041b Mon Sep 17 00:00:00 2001
|
|
|
3ec523 |
From: Michal Privoznik <mprivozn@redhat.com>
|
|
|
3ec523 |
Date: Thu, 11 Sep 2014 12:09:04 +0200
|
|
|
3ec523 |
Subject: [PATCH] nvram: Fix permissions
|
|
|
3ec523 |
|
|
|
3ec523 |
I've noticed two problem with the automatically created NVRAM varstore
|
|
|
3ec523 |
file. The first, even though I run qemu as root:root for some reason I
|
|
|
3ec523 |
get Permission denied when trying to open the _VARS.fd file. The
|
|
|
3ec523 |
problem is, the upper directory misses execute permissions, which in
|
|
|
3ec523 |
combination with us dropping some capabilities result in EPERM.
|
|
|
3ec523 |
|
|
|
3ec523 |
The next thing is, that if I switch SELinux to enforcing mode, I get
|
|
|
3ec523 |
another EPERM because the vars file is not labeled correctly. It is
|
|
|
3ec523 |
passed to qemu as disk and hence should be labelled as disk. QEMU may
|
|
|
3ec523 |
write to it eventually, so this is different to kernel or initrd.
|
|
|
3ec523 |
|
|
|
3ec523 |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
3ec523 |
(cherry picked from commit 37d8c75fad297891b80086b125046ed3990eaf59)
|
|
|
3ec523 |
---
|
|
|
3ec523 |
libvirt.spec.in | 2 +-
|
|
|
3ec523 |
src/security/security_selinux.c | 5 ++++-
|
|
|
3ec523 |
2 files changed, 5 insertions(+), 2 deletions(-)
|
|
|
3ec523 |
|
|
|
3ec523 |
diff --git a/libvirt.spec.in b/libvirt.spec.in
|
|
|
aff97e |
index f99de39..32e51f7 100644
|
|
|
3ec523 |
--- a/libvirt.spec.in
|
|
|
3ec523 |
+++ b/libvirt.spec.in
|
|
|
aff97e |
@@ -1967,7 +1967,7 @@ exit 0
|
|
|
3ec523 |
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
|
|
|
3ec523 |
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/
|
|
|
3ec523 |
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/
|
|
|
3ec523 |
-%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/
|
|
|
3ec523 |
+%dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/
|
|
|
3ec523 |
%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
|
|
|
3ec523 |
%{_datadir}/augeas/lenses/libvirtd_qemu.aug
|
|
|
3ec523 |
%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug
|
|
|
3ec523 |
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
|
|
|
3ec523 |
index a409c19..b9efbc5 100644
|
|
|
3ec523 |
--- a/src/security/security_selinux.c
|
|
|
3ec523 |
+++ b/src/security/security_selinux.c
|
|
|
3ec523 |
@@ -2298,8 +2298,11 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
|
|
|
3ec523 |
mgr) < 0)
|
|
|
3ec523 |
return -1;
|
|
|
3ec523 |
|
|
|
3ec523 |
+ /* This is different than kernel or initrd. The nvram store
|
|
|
3ec523 |
+ * is really a disk, qemu can read and write to it. */
|
|
|
3ec523 |
if (def->os.loader && def->os.loader->nvram &&
|
|
|
3ec523 |
- virSecuritySELinuxSetFilecon(def->os.loader->nvram, data->content_context) < 0)
|
|
|
3ec523 |
+ secdef && secdef->imagelabel &&
|
|
|
3ec523 |
+ virSecuritySELinuxSetFilecon(def->os.loader->nvram, secdef->imagelabel) < 0)
|
|
|
3ec523 |
return -1;
|
|
|
3ec523 |
|
|
|
3ec523 |
if (def->os.kernel &&
|