Libvirt provides a portable, long term stable C API for managing the virtualization technologies provided by many operating systems. It includes support for QEMU, KVM, Xen, LXC, bhyve, Virtuozzo, VMware vCenter and ESX, VMware Desktop, Hyper-V, VirtualBox and the POWER Hypervisor.
Go to file
Eric Blake 0f082e699e selinux: distinguish failure to label from request to avoid label
https://bugzilla.redhat.com/show_bug.cgi?id=924153

Commit 904e05a2 (v0.9.9) added a per-<disk> seclabel element with
an attribute relabel='no' in order to try and minimize the
impact of shutdown delays when an NFS server disappears.  The idea
was that if a disk is on NFS and can't be labeled in the first
place, there is no need to attempt the (no-op) relabel on domain
shutdown.  Unfortunately, the way this was implemented was by
modifying the domain XML so that the optimization would survive
libvirtd restart, but in a way that is indistinguishable from an
explicit user setting.  Furthermore, once the setting is turned
on, libvirt avoids attempts at labeling, even for operations like
snapshot or blockcopy where the chain is being extended or pivoted
onto non-NFS, where SELinux labeling is once again possible.  As
a result, it was impossible to do a blockcopy to pivot from an
NFS image file onto a local file.

The solution is to separate the semantics of a chain that must
not be labeled (which the user can set even on persistent domains)
vs. the optimization of not attempting a relabel on cleanup (a
live-only annotation), and using only the user's explicit notation
rather than the optimization as the decision on whether to skip
a label attempt in the first place.  When upgrading an older
libvirtd to a newer, an NFS volume will still attempt the relabel;
but as the avoidance of a relabel was only an optimization, this
shouldn't cause any problems.

In the ideal future, libvirt will eventually have XML describing
EVERY file in the backing chain, with each file having a separate
<seclabel> element.  At that point, libvirt will be able to track
more closely which files need a relabel attempt at shutdown.  But
until we reach that point, the single <seclabel> for the entire
<disk> chain is treated as a hint - when a chain has only one
file, then we know it is accurate; but if the chain has more than
one file, we have to attempt relabel in spite of the attribute,
in case part of the chain is local and SELinux mattered for that
portion of the chain.

* src/conf/domain_conf.h (_virSecurityDeviceLabelDef): Add new
member.
* src/conf/domain_conf.c (virSecurityDeviceLabelDefParseXML):
Parse it, for live images only.
(virSecurityDeviceLabelDefFormat): Output it.
(virDomainDiskDefParseXML, virDomainChrSourceDefParseXML)
(virDomainDiskSourceDefFormat, virDomainChrDefFormat)
(virDomainDiskDefFormat): Pass flags on through.
* src/security/security_selinux.c
(virSecuritySELinuxRestoreSecurityImageLabelInt): Honor labelskip
when possible.
(virSecuritySELinuxSetSecurityFileLabel): Set labelskip, not
norelabel, if labeling fails.
(virSecuritySELinuxSetFileconHelper): Fix indentation.
* docs/formatdomain.html.in (seclabel): Document new xml.
* docs/schemas/domaincommon.rng (devSeclabel): Allow it in RNG.
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-*-labelskip.xml:
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-*-labelskip.args:
* tests/qemuxml2xmloutdata/qemuxml2xmlout-seclabel-*-labelskip.xml:
New test files.
* tests/qemuxml2argvtest.c (mymain): Run the new tests.
* tests/qemuxml2xmltest.c (mymain): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-20 10:39:03 -06:00
.gnulib@0ba087759d maint: update gnulib submodule 2013-08-15 16:54:30 -06:00
build-aux Add API for calling systemd-machined's DBus API 2013-07-22 13:09:58 +01:00
daemon Properly handle -h / -V for --help/--version aliases in virtlockd/libvirtd 2013-08-13 14:06:01 +01:00
docs selinux: distinguish failure to label from request to avoid label 2013-08-20 10:39:03 -06:00
examples examples: support crash events in event-test.py 2013-08-14 15:59:21 -06:00
gnulib build: add configure option to disable gnulib tests 2013-08-12 10:02:38 -06:00
include Add flag to BaselineCPU API to return detailed CPU features 2013-08-16 15:31:18 -06:00
m4 maint: slightly reduce configure size 2013-08-16 13:31:05 -06:00
po Introduce a virt-login-shell binary 2013-08-08 16:36:31 +01:00
python Delete obsolete / unused python test files 2013-07-30 14:13:58 +01:00
src selinux: distinguish failure to label from request to avoid label 2013-08-20 10:39:03 -06:00
tests selinux: distinguish failure to label from request to avoid label 2013-08-20 10:39:03 -06:00
tools virsh: Don't leak list of volumes when undefining domain with storage 2013-08-20 17:55:08 +02:00
.ctags maint: Make ctags work out of the box 2013-07-18 08:47:21 +02:00
.dir-locals.el build: avoid tabs that failed syntax-check 2012-09-06 09:43:46 -06:00
.gitignore Add documentation for access control system 2013-08-09 17:13:02 +01:00
.gitmodules make .gnulib a submodule 2009-07-08 16:17:51 +02:00
.mailmap Autogenerate AUTHORS 2012-10-19 12:44:56 -04:00
AUTHORS.in Add John Ferlan to the committers list 2013-02-05 10:59:32 -05:00
autobuild.sh build: add configure option to disable gnulib tests 2013-08-12 10:02:38 -06:00
autogen.sh autogen: Handle case when libvirt's submodule 2013-07-19 13:45:22 +02:00
bootstrap maint: update gnulib submodule 2013-08-15 16:54:30 -06:00
bootstrap.conf maint: avoid bootstrap warning 2013-08-15 16:54:06 -06:00
cfg.mk Split TLS test into two separate tests 2013-08-08 10:00:42 +01:00
ChangeLog-old virterror.c: Fix several spelling mistakes 2012-02-03 11:32:51 -07:00
configure.ac build: add configure option to disable gnulib tests 2013-08-12 10:02:38 -06:00
COPYING maint: follow recommended practice for using LGPL 2013-05-20 14:15:21 -06:00
COPYING.LESSER maint: follow recommended practice for using LGPL 2013-05-20 14:15:21 -06:00
HACKING docs: mention VIR_TEST_RANGE 2013-08-12 20:44:41 -06:00
libvirt.pc.in build: silence warning from autoconf 2012-05-30 09:22:02 -06:00
libvirt.spec.in build: add configure option to disable gnulib tests 2013-08-12 10:02:38 -06:00
Makefile.am maint: split long lines in Makefiles 2013-07-19 05:25:35 -06:00
Makefile.nonreentrant maint: use LGPL correctly 2013-05-20 14:03:48 -06:00
mingw-libvirt.spec.in build: add configure option to disable gnulib tests 2013-08-12 10:02:38 -06:00
README Correct typos in the documentation (Atsushi SAKAI) 2008-01-24 10:15:13 +00:00
README-hacking maint: relax git minimum version 2010-02-24 14:29:27 -05:00
run.in run: license as LGPL 2013-02-23 14:03:19 -07:00
TODO Update todo list file to point at bugzilla/website 2010-10-13 16:45:26 +01:00

         LibVirt : simple API for virtualization

  Libvirt is a C toolkit to interact with the virtualization capabilities
of recent versions of Linux (and other OSes). It is free software
available under the GNU Lesser General Public License. Virtualization of
the Linux Operating System means the ability to run multiple instances of
Operating Systems concurrently on a single hardware system where the basic
resources are driven by a Linux instance. The library aim at providing
long term stable C API initially for the Xen paravirtualization but
should be able to integrate other virtualization mechanisms if needed.

Daniel Veillard <veillard@redhat.com>