Dear list, there were several attempts in the past to implement this feature, but none of them was successful. The problem is that we change security labels when starting a domain but never record the original labels therefore when restoring the labels back in domain shutdown phase we have to go with root:root or restorecon. This is not user friendly.
Now that we have metadata locking implemented we have exclusive access to the files we are touching and therefore can call functions to record the original owner. Since this database needs to be distributed (consider multiple daemons and an network file system) it can't be stored inside a daemon (libvirtd knows nothing about other daemons running on distant hosts). Therefore the next option is to store it with the files themselves - in XATTRs. There is one caveat though. A file can be passed to multiple domains at the same time (for instance an installation ISO), therefore we need a reference counter so that the only the last label restore call actually restores the original owner. A picture is worth more than a thousand words: # chown 5:6 /var/lib/libvirt/images/fd.img # ls -ln /var/lib/libvirt/images/fd.img -rw-r--r-- 1 5 6 2097152 Mar 17 2018 /var/lib/libvirt/images/fd.img # getfattr -d -m - /var/lib/libvirt/images/fd.img (no output) # virsh domblklist fedora Target Source ------------------------------------------------ sda /var/lib/libvirt/images/fedora.qcow2 sdb /var/lib/libvirt/images/fd.img # virsh domblklist gentoo Target Source ---------------------------------------------------------------------- fda /var/lib/libvirt/images/fd.img sda /var/lib/libvirt/images/gentoo.qcow2 # virsh start fedora Domain fedora started # getfattr -d -m - /var/lib/libvirt/images/fd.img trusted.libvirt.security.dac="+5:+6" trusted.libvirt.security.ref_dac="1" # virsh start gentoo Domain gentoo started # getfattr -d -m - /var/lib/libvirt/images/fd.img trusted.libvirt.security.dac="+5:+6" trusted.libvirt.security.ref_dac="2" # virsh shutdown --domain fedora Domain fedora is being shutdown # ls -ln /var/lib/libvirt/images/fd.img -rw-r--r-- 1 0 0 2097152 Mar 17 2018 /var/lib/libvirt/images/fd.img # getfattr -d -m - /var/lib/libvirt/images/fd.img trusted.libvirt.security.dac="+5:+6" trusted.libvirt.security.ref_dac="1" # virsh shutdown --domain gentoo Domain gentoo is being shutdown # getfattr -d -m - /var/lib/libvirt/images/fd.img (no output) # ls -ln /var/lib/libvirt/images/fd.img -rw-r--r-- 1 5 6 2097152 Mar 17 2018 /var/lib/libvirt/images/fd.img Even though I'm showing DAC only in my example, it's the same story with SELinux. Of course, this plays nicely with filesystems that don't support XATTRs, which there are not that much, but unfortunately NFS is one of them :( Michal Prívozník (18): security: Unify header conditionals util: Introduce xattr getter/setter/remover security: Include security_util security_dac: Restore label on failed chown() attempt virSecurityDACTransactionRun: Implement rollback virSecurityDACRestoreAllLabel: Reorder device relabeling virSecurityDACRestoreAllLabel: Restore more labels security_dac: Allow callers to enable/disable label remembering/recall security_dac: Remember old labels virSecurityDACRestoreImageLabelInt: Restore even shared/RO disks security_selinux: Track if transaction is restore security_selinux: Remember old labels security_selinux: Restore label on failed setfilecon() attempt virSecuritySELinuxTransactionRun: Implement rollback virSecuritySELinuxRestoreAllLabel: Reorder device relabeling virSecuritySELinuxRestoreAllLabel: Restore more labels tools: Provide a script to recover fubar'ed XATTRs setup qemu.conf: Allow users to enable/disable label remembering src/libvirt_private.syms | 3 + src/qemu/libvirtd_qemu.aug | 1 + src/qemu/qemu.conf | 6 + src/qemu/qemu_conf.c | 4 + src/qemu/test_libvirtd_qemu.aug.in | 1 + src/security/Makefile.inc.am | 2 + src/security/security_apparmor.h | 6 +- src/security/security_dac.c | 212 +++++++++++++++++------- src/security/security_dac.h | 6 +- src/security/security_driver.h | 6 +- src/security/security_manager.h | 6 +- src/security/security_nop.h | 6 +- src/security/security_selinux.c | 256 +++++++++++++++++++++-------- src/security/security_selinux.h | 6 +- src/security/security_stack.h | 6 +- src/security/security_util.c | 198 ++++++++++++++++++++++ src/security/security_util.h | 32 ++++ src/util/virfile.c | 121 ++++++++++++++ src/util/virfile.h | 11 ++ tools/Makefile.am | 1 + tools/libvirt_recover_xattrs.sh | 89 ++++++++++ 21 files changed, 829 insertions(+), 150 deletions(-) create mode 100644 src/security/security_util.c create mode 100644 src/security/security_util.h create mode 100755 tools/libvirt_recover_xattrs.sh -- 2.18.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list