From 5b1a906acef3b992e4c1de104f78c7d946165f4d Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sep 24 2014 16:15:49 +0000 Subject: Fix labelling host devices (bz #1145968) --- diff --git a/0103-security-Fix-labelling-host-devices-bz-1145968.patch b/0103-security-Fix-labelling-host-devices-bz-1145968.patch new file mode 100644 index 0000000..b23d1b8 --- /dev/null +++ b/0103-security-Fix-labelling-host-devices-bz-1145968.patch @@ -0,0 +1,78 @@ +From 3a8e136e6b46174f347e088ade020c168fffafad Mon Sep 17 00:00:00 2001 +From: Cole Robinson +Date: Wed, 24 Sep 2014 11:47:46 -0400 +Subject: [PATCH] security: Fix labelling host devices (bz 1145968) + +The check for ISCSI devices was missing a check of subsys type, which +meant we could skip labelling of other host devices as well. This fixes +USB hotplug on F21 + +https://bugzilla.redhat.com/show_bug.cgi?id=1145968 +--- + src/security/security_apparmor.c | 3 ++- + src/security/security_dac.c | 6 ++++-- + src/security/security_selinux.c | 6 ++++-- + 3 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c +index 041ce65..3025284 100644 +--- a/src/security/security_apparmor.c ++++ b/src/security/security_apparmor.c +@@ -828,7 +828,8 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, + /* Like AppArmorRestoreSecurityImageLabel() for a networked disk, + * do nothing for an iSCSI hostdev + */ +- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) ++ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI && ++ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) + return 0; + + if (profile_loaded(secdef->imagelabel) < 0) +diff --git a/src/security/security_dac.c b/src/security/security_dac.c +index e398d2c..85253af 100644 +--- a/src/security/security_dac.c ++++ b/src/security/security_dac.c +@@ -523,7 +523,8 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr, + /* Like virSecurityDACSetSecurityImageLabel() for a networked disk, + * do nothing for an iSCSI hostdev + */ +- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) ++ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI && ++ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) + return 0; + + cbdata.manager = mgr; +@@ -657,7 +658,8 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, + /* Like virSecurityDACRestoreSecurityImageLabelInt() for a networked disk, + * do nothing for an iSCSI hostdev + */ +- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) ++ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI && ++ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) + return 0; + + switch ((virDomainHostdevSubsysType) dev->source.subsys.type) { +diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c +index b9efbc5..ea1efc9 100644 +--- a/src/security/security_selinux.c ++++ b/src/security/security_selinux.c +@@ -1327,7 +1327,8 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def, + /* Like virSecuritySELinuxSetSecurityImageLabelInternal() for a networked + * disk, do nothing for an iSCSI hostdev + */ +- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) ++ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI && ++ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) + return 0; + + switch (dev->source.subsys.type) { +@@ -1520,7 +1521,8 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr, + /* Like virSecuritySELinuxRestoreSecurityImageLabelInt() for a networked + * disk, do nothing for an iSCSI hostdev + */ +- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) ++ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI && ++ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) + return 0; + + switch (dev->source.subsys.type) { diff --git a/libvirt.spec b/libvirt.spec index 57d20f2..6ae550e 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -363,7 +363,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 1.2.8 -Release: 5%{?dist}%{?extra_release} +Release: 6%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -404,6 +404,8 @@ Patch0020: 0020-spec-Re-run-autotools-for-ovmf-patches.patch # Fix specifying CPU for qemu aarch64 Patch0101: 0101-qemu_command-Split-qemuBuildCpuArgStr.patch Patch0102: 0102-qemu-Don-t-compare-CPU-against-host-for-TCG.patch +# Fix labelling host devices (bz #1145968) +Patch0103: 0103-security-Fix-labelling-host-devices-bz-1145968.patch %if %{with_libvirtd} Requires: libvirt-daemon = %{version}-%{release} @@ -1259,6 +1261,8 @@ driver # Fix specifying CPU for qemu aarch64 %patch0101 -p1 %patch0102 -p1 +# Fix labelling host devices (bz #1145968) +%patch0103 -p1 %build %if ! %{with_xen} @@ -2336,6 +2340,9 @@ exit 0 %doc examples/systemtap %changelog +* Wed Sep 24 2014 Cole Robinson - 1.2.8-6 +- Fix labelling host devices (bz #1145968) + * Tue Sep 23 2014 Cole Robinson - 1.2.8-5 - Fix specifying CPU for qemu aarch64