Fix labelling host devices (bz #1145968)

2014-09-24 12:15:49 -04:00 · 2014-09-24 12:15:49 -04:00 · 5b1a906ace
commit 5b1a906ace
parent aff97e0146
2 changed files with 86 additions and 1 deletions
--- a/0103-security-Fix-labelling-host-devices-bz-1145968.patch
+++ b/0103-security-Fix-labelling-host-devices-bz-1145968.patch
@ -0,0 +1,78 @@
+From 3a8e136e6b46174f347e088ade020c168fffafad Mon Sep 17 00:00:00 2001
+From: Cole Robinson <crobinso@redhat.com>
+Date: Wed, 24 Sep 2014 11:47:46 -0400
+Subject: [PATCH] security: Fix labelling host devices (bz 1145968)
+
+The check for ISCSI devices was missing a check of subsys type, which
+meant we could skip labelling of other host devices as well. This fixes
+USB hotplug on F21
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1145968
+---
+ src/security/security_apparmor.c | 3 ++-
+ src/security/security_dac.c      | 6 ++++--
+ src/security/security_selinux.c  | 6 ++++--
+ 3 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
+index 041ce65..3025284 100644
+--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
+@@ -828,7 +828,8 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
+     /* Like AppArmorRestoreSecurityImageLabel() for a networked disk,
+      * do nothing for an iSCSI hostdev
+      */
+-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+         return 0;
+ 
+     if (profile_loaded(secdef->imagelabel) < 0)
+diff --git a/src/security/security_dac.c b/src/security/security_dac.c
+index e398d2c..85253af 100644
+--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
+@@ -523,7 +523,8 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
+     /* Like virSecurityDACSetSecurityImageLabel() for a networked disk,
+      * do nothing for an iSCSI hostdev
+      */
+-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+         return 0;
+ 
+     cbdata.manager = mgr;
+@@ -657,7 +658,8 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
+     /* Like virSecurityDACRestoreSecurityImageLabelInt() for a networked disk,
+      * do nothing for an iSCSI hostdev
+      */
+-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+         return 0;
+ 
+     switch ((virDomainHostdevSubsysType) dev->source.subsys.type) {
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index b9efbc5..ea1efc9 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -1327,7 +1327,8 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
+     /* Like virSecuritySELinuxSetSecurityImageLabelInternal() for a networked
+      * disk, do nothing for an iSCSI hostdev
+      */
+-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+         return 0;
+ 
+     switch (dev->source.subsys.type) {
+@@ -1520,7 +1521,8 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
+     /* Like virSecuritySELinuxRestoreSecurityImageLabelInt() for a networked
+      * disk, do nothing for an iSCSI hostdev
+      */
+-    if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+    if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+         return 0;
+ 
+     switch (dev->source.subsys.type) {
--- a/libvirt.spec
+++ b/libvirt.spec
@ -363,7 +363,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 1.2.8
-Release: 5%{?dist}%{?extra_release}
+Release: 6%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -404,6 +404,8 @@ Patch0020: 0020-spec-Re-run-autotools-for-ovmf-patches.patch
 # Fix specifying CPU for qemu aarch64
 Patch0101: 0101-qemu_command-Split-qemuBuildCpuArgStr.patch
 Patch0102: 0102-qemu-Don-t-compare-CPU-against-host-for-TCG.patch
+# Fix labelling host devices (bz #1145968)
+Patch0103: 0103-security-Fix-labelling-host-devices-bz-1145968.patch

 %if %{with_libvirtd}
 Requires: libvirt-daemon = %{version}-%{release}
@ -1259,6 +1261,8 @@ driver
 # Fix specifying CPU for qemu aarch64
 %patch0101 -p1
 %patch0102 -p1
+# Fix labelling host devices (bz #1145968)
+%patch0103 -p1

 %build
 %if ! %{with_xen}
@ -2336,6 +2340,9 @@ exit 0
 %doc examples/systemtap

 %changelog
+* Wed Sep 24 2014 Cole Robinson <crobinso@redhat.com> - 1.2.8-6
+- Fix labelling host devices (bz #1145968)
+
 * Tue Sep 23 2014 Cole Robinson <crobinso@redhat.com> - 1.2.8-5
 - Fix specifying CPU for qemu aarch64