libvirt/0014-nvram-Fix-permissions.patch

From 884ef00a28244b34d66ada97c8ddd3e7d7ea8ff1 Mon Sep 17 00:00:00 2001
From: Michal Privoznik <mprivozn@redhat.com>
Date: Thu, 11 Sep 2014 12:09:04 +0200
Subject: [PATCH] nvram: Fix permissions

I've noticed two problem with the automatically created NVRAM varstore
file. The first, even though I run qemu as root:root for some reason I
get Permission denied when trying to open the _VARS.fd file. The
problem is, the upper directory misses execute permissions, which in
combination with us dropping some capabilities result in EPERM.

The next thing is, that if I switch SELinux to enforcing mode, I get
another EPERM because the vars file is not labeled correctly. It is
passed to qemu as disk and hence should be labelled as disk. QEMU may
write to it eventually, so this is different to kernel or initrd.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 37d8c75fad297891b80086b125046ed3990eaf59)
---
 libvirt.spec.in                 | 2 +-
 src/security/security_selinux.c | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 935b8c8..3cd7b2e 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1970,7 +1970,7 @@ exit 0
 %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
 %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/
 %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/
-%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/
+%dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/
 %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
 %{_datadir}/augeas/lenses/libvirtd_qemu.aug
 %{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a409c19..b9efbc5 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2298,8 +2298,11 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
                                      mgr) < 0)
         return -1;
 
+    /* This is different than kernel or initrd. The nvram store
+     * is really a disk, qemu can read and write to it. */
     if (def->os.loader && def->os.loader->nvram &&
-        virSecuritySELinuxSetFilecon(def->os.loader->nvram, data->content_context) < 0)
+        secdef && secdef->imagelabel &&
+        virSecuritySELinuxSetFilecon(def->os.loader->nvram, secdef->imagelabel) < 0)
         return -1;
 
     if (def->os.kernel &&
Don't mess up labelling of /dev/net/tun (bz #1141879) pflash/nvram support for UEFI/OVMF 2014-09-18 19:36:06 +00:00			`From 884ef00a28244b34d66ada97c8ddd3e7d7ea8ff1 Mon Sep 17 00:00:00 2001`
			`From: Michal Privoznik <mprivozn@redhat.com>`
			`Date: Thu, 11 Sep 2014 12:09:04 +0200`
			`Subject: [PATCH] nvram: Fix permissions`

			`I've noticed two problem with the automatically created NVRAM varstore`
			`file. The first, even though I run qemu as root:root for some reason I`
			`get Permission denied when trying to open the _VARS.fd file. The`
			`problem is, the upper directory misses execute permissions, which in`
			`combination with us dropping some capabilities result in EPERM.`

			`The next thing is, that if I switch SELinux to enforcing mode, I get`
			`another EPERM because the vars file is not labeled correctly. It is`
			`passed to qemu as disk and hence should be labelled as disk. QEMU may`
			`write to it eventually, so this is different to kernel or initrd.`

			`Signed-off-by: Michal Privoznik <mprivozn@redhat.com>`
			`(cherry picked from commit 37d8c75fad297891b80086b125046ed3990eaf59)`
			`---`
			`libvirt.spec.in \| 2 +-`
			`src/security/security_selinux.c \| 5 ++++-`
			`2 files changed, 5 insertions(+), 2 deletions(-)`

			`diff --git a/libvirt.spec.in b/libvirt.spec.in`
			`index 935b8c8..3cd7b2e 100644`
			`--- a/libvirt.spec.in`
			`+++ b/libvirt.spec.in`
			`@@ -1970,7 +1970,7 @@ exit 0`
			`%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/`
			`%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/`
			`%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/`
			`-%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/`
			`+%dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/`
			`%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/`
			`%{_datadir}/augeas/lenses/libvirtd_qemu.aug`
			`%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug`
			`diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c`
			`index a409c19..b9efbc5 100644`
			`--- a/src/security/security_selinux.c`
			`+++ b/src/security/security_selinux.c`
			`@@ -2298,8 +2298,11 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,`
			`mgr) < 0)`
			`return -1;`

			`+ /* This is different than kernel or initrd. The nvram store`
			`+ * is really a disk, qemu can read and write to it. */`
			`if (def->os.loader && def->os.loader->nvram &&`
			`- virSecuritySELinuxSetFilecon(def->os.loader->nvram, data->content_context) < 0)`
			`+ secdef && secdef->imagelabel &&`
			`+ virSecuritySELinuxSetFilecon(def->os.loader->nvram, secdef->imagelabel) < 0)`
			`return -1;`

			`if (def->os.kernel &&`