libvirt/src/security
Michal Privoznik cf976d9dcf qemu: Label all TAP FDs
https://bugzilla.redhat.com/show_bug.cgi?id=1095636

When starting up the domain the domain's NICs are allocated. As of
1f24f682 (v1.0.6) we are able to use multiqueue feature on virtio
NICs. It breaks network processing into multiple queues which can be
processed in parallel by different host CPUs. The queues are, however,
created by opening /dev/net/tun several times. Unfortunately, only the
first FD in the row is labelled so when turning the multiqueue feature
on in the guest, qemu will get AVC denial. Make sure we label all the
FDs needed.

Moreover, the default label of /dev/net/tun doesn't allow
attaching a queue:

    type=AVC msg=audit(1399622478.790:893): avc:  denied  { attach_queue }
    for  pid=7585 comm="qemu-kvm"
    scontext=system_u:system_r:svirt_t:s0:c638,c877
    tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023
    tclass=tun_socket

And as suggested by SELinux maintainers, the tun FD should be labeled
as svirt_t. Therefore, we don't need to adjust any range (as done
previously by Guannan in ae368ebf) rather set the seclabel of the
domain directly.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-08-20 09:42:24 +02:00
..
security_apparmor.c hostdev: Introduce virDomainHostdevSubsysSCSIiSCSI 2014-07-24 07:04:44 -04:00
security_apparmor.h maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
security_dac.c hostdev: Introduce virDomainHostdevSubsysSCSIiSCSI 2014-07-24 07:04:44 -04:00
security_dac.h security: DAC: Introduce callback to perform image chown 2014-07-24 09:58:59 +02:00
security_driver.c Add virLogSource variables to all source files 2014-03-18 14:29:22 +00:00
security_driver.h security: Introduce APIs to label single images 2014-07-09 10:38:56 +02:00
security_manager.c security: DAC: Introduce callback to perform image chown 2014-07-24 09:58:59 +02:00
security_manager.h security: DAC: Introduce callback to perform image chown 2014-07-24 09:58:59 +02:00
security_nop.c security: Introduce APIs to label single images 2014-07-09 10:38:56 +02:00
security_nop.h maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
security_selinux.c qemu: Label all TAP FDs 2014-08-20 09:42:24 +02:00
security_selinux.h maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
security_stack.c security: Introduce APIs to label single images 2014-07-09 10:38:56 +02:00
security_stack.h security: fix #endif comment in security_stack.h 2012-12-20 19:55:54 +01:00
virt-aa-helper.c hostdev: Introduce virDomainHostdevSubsysUSB 2014-07-24 06:39:27 -04:00