From 6b11a6113bb62c9280de3122f223a7a7a1be04ba Mon Sep 17 00:00:00 2001 Message-Id: <6b11a6113bb62c9280de3122f223a7a7a1be04ba@dist-git> From: Michal Privoznik Date: Wed, 21 Sep 2022 15:56:13 +0200 Subject: [PATCH] security_selinux: Don't ignore NVMe disks when setting image label For NVMe disks we skip setting SELinux label on corresponding VFIO group (/dev/vfio/X). This bug is only visible with namespaces and goes as follows: 1) libvirt assigns NVMe disk to vfio-pci driver, 2) kernel creates /dev/vfio/X node with generic device_t SELinux label, 3) our namespace code creates the exact copy of the node in domain's private /dev, 4) SELinux policy kicks in an changes the label on the node to vfio_device_t (in the top most namespace), 5) libvirt tells QEMU to attach the NVMe disk, which is denied by SELinux policy. While one can argue that kernel should have created the /dev/vfio/X node with the correct SELinux label from the beginning (step 2), libvirt can't rely on that and needs to set label on its own. Surprisingly, I already wrote the code that aims on this specific case (v6.0.0-rc1~241), but because of a shortcut we take earlier it is never ran. The reason is that virStorageSourceIsLocalStorage() considers NVMe disks as non-local because their source is not accessible via src->path (or even if it is, it's not a local path). Therefore, do not exit early for NVMe disks and let the function continue. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2121441 Fixes: 284a12bae0e4cf93ea72797965d6c12e3a103f40 Signed-off-by: Michal Privoznik Reviewed-by: Peter Krempa (cherry picked from commit 68e93e3180ad4e51bf9f86850dc86d8f528d6564) Signed-off-by: Michal Privoznik --- src/security/security_selinux.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index e2f34a27dc..6cd3e845fd 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1818,7 +1818,11 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr, const char *path = src->path; int ret; - if (!src->path || !virStorageSourceIsLocalStorage(src)) + /* Special case NVMe. Per virStorageSourceIsLocalStorage() it's + * considered not local, but we still want the code below to set + * label on VFIO group. */ + if (src->type != VIR_STORAGE_TYPE_NVME && + (!src->path || !virStorageSourceIsLocalStorage(src))) return 0; secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); -- 2.37.3