|
 |
9119d9 |
From 441f44f75c0d62a93da6b3cedaf55e44ff401fa7 Mon Sep 17 00:00:00 2001
|
|
|
9119d9 |
Message-Id: <441f44f75c0d62a93da6b3cedaf55e44ff401fa7@dist-git>
|
|
|
9119d9 |
From: Michal Privoznik <mprivozn@redhat.com>
|
|
|
9119d9 |
Date: Thu, 18 Sep 2014 11:45:33 +0200
|
|
|
9119d9 |
Subject: [PATCH] nvram: Fix permissions
|
|
|
9119d9 |
|
|
|
9119d9 |
https://bugzilla.redhat.com/show_bug.cgi?id=1026772
|
|
|
9119d9 |
|
|
|
9119d9 |
I've noticed two problem with the automatically created NVRAM varstore
|
|
|
9119d9 |
file. The first, even though I run qemu as root:root for some reason I
|
|
|
9119d9 |
get Permission denied when trying to open the _VARS.fd file. The
|
|
|
9119d9 |
problem is, the upper directory misses execute permissions, which in
|
|
|
9119d9 |
combination with us dropping some capabilities result in EPERM.
|
|
|
9119d9 |
|
|
|
9119d9 |
The next thing is, that if I switch SELinux to enforcing mode, I get
|
|
|
9119d9 |
another EPERM because the vars file is not labeled correctly. It is
|
|
|
9119d9 |
passed to qemu as disk and hence should be labelled as disk. QEMU may
|
|
|
9119d9 |
write to it eventually, so this is different to kernel or initrd.
|
|
|
9119d9 |
|
|
|
9119d9 |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
9119d9 |
(cherry picked from commit 37d8c75fad297891b80086b125046ed3990eaf59)
|
|
|
9119d9 |
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
9119d9 |
---
|
|
|
9119d9 |
libvirt.spec.in | 2 +-
|
|
|
9119d9 |
src/security/security_selinux.c | 5 ++++-
|
|
|
9119d9 |
2 files changed, 5 insertions(+), 2 deletions(-)
|
|
|
9119d9 |
|
|
|
9119d9 |
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
|
|
|
9119d9 |
index 65f0d64..1c9150b 100644
|
|
|
9119d9 |
--- a/src/security/security_selinux.c
|
|
|
9119d9 |
+++ b/src/security/security_selinux.c
|
|
|
9119d9 |
@@ -2298,8 +2298,11 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
|
|
|
9119d9 |
mgr) < 0)
|
|
|
9119d9 |
return -1;
|
|
|
9119d9 |
|
|
|
9119d9 |
+ /* This is different than kernel or initrd. The nvram store
|
|
|
9119d9 |
+ * is really a disk, qemu can read and write to it. */
|
|
|
9119d9 |
if (def->os.loader && def->os.loader->nvram &&
|
|
|
9119d9 |
- virSecuritySELinuxSetFilecon(def->os.loader->nvram, data->content_context) < 0)
|
|
|
9119d9 |
+ secdef && secdef->imagelabel &&
|
|
|
9119d9 |
+ virSecuritySELinuxSetFilecon(def->os.loader->nvram, secdef->imagelabel) < 0)
|
|
|
9119d9 |
return -1;
|
|
|
9119d9 |
|
|
|
9119d9 |
if (def->os.kernel &&
|
|
|
9119d9 |
--
|
|
|
9119d9 |
2.1.0
|
|
|
9119d9 |
|