NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity
Read-only mirror. Please submit merge requests / issues to https://gitlab.com/libvirt/libvirt
17,760 Commits 67 Branches 632 Tags 1.1 GiB
C 94.8%
Python 2%
Meson 0.9%
Shell 0.8%
Dockerfile 0.6%
Other 0.8%
ebc0526396
Go to file
Michal Privoznik ebc0526396 security_selinux: Don't relabel /dev/net/tun 
https://bugzilla.redhat.com/show_bug.cgi?id=1147057

The code for relabelling the TAP FD is there due to a race. When
libvirt creates a /dev/tapN device it's labeled as
'system_u:object_r:device_t:s0' by default. Later, when
udev/systemd reacts to this device, it's relabelled to the
expected label 'system_u:object_r:tun_tap_device_t:s0'. Hence, we
have a code that relabels the device, to cut the race down. For
more info see ae368ebfcc.

But the problem is, the relabel function is called on all TUN/TAP
devices. Yes, on /dev/net/tun too. This is however a special kind
of device - other processes uses it too. We shouldn't touch it's
label then.

Ideally, there would an API in SELinux that would label just the
passed FD and not the underlying path. That way, we wouldn't need
to care as we would be not labeling /dev/net/tun but the FD
passed to the domain. Unfortunately, there's no such API so we
have to workaround until then.

Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-10-08 15:15:58 +02:00
.gnulib@9565c3be73 maint: update to latest gnulib 2014-09-06 19:14:43 -06:00
build-aux maint: improve syntax check for space around = 2014-08-12 11:21:17 -06:00
daemon tunable_event: extend debug message and tweak limit for remote message 2014-09-25 10:56:04 +02:00
docs conf: add trustGuestRxFilters attribute to network and domain interface 2014-10-06 11:49:10 -04:00
examples event_example: cleanup example code for tunable event 2014-09-26 09:33:58 +02:00
gnulib maint: update to latest gnulib 2014-01-01 06:02:47 -07:00
include qemu: support nospace reason in io error event 2014-10-03 12:43:53 -06:00
m4 build: prefer -fstack-protector-strong to -all 2014-06-12 08:16:03 +02:00
po esx: Add libcurl based stream driver 2014-10-07 22:05:49 +02:00
src security_selinux: Don't relabel /dev/net/tun 2014-10-08 15:15:58 +02:00
tests qemu: qemuMonitorQueryRxFilter - retrieve guest netdev rx-filter 2014-10-06 13:32:38 -04:00
tools Make editor used for 'virsh edit' configurable 2014-10-01 20:17:48 +02:00
.ctags maint: Make ctags work out of the box 2013-07-18 08:47:21 +02:00
.dir-locals.el build: avoid tabs that failed syntax-check 2012-09-06 09:43:46 -06:00
.gitignore daemon: use socket activation with systemd 2014-08-22 09:12:14 +02:00
.gitmodules make .gnulib a submodule 2009-07-08 16:17:51 +02:00
.mailmap maint: update .mailmap 2014-10-06 08:23:47 -06:00
AUTHORS.in Added myself in AUTHORS.in 2014-07-23 16:23:46 +02:00
autobuild.sh Disable libvirtd by default when building on Win32 2014-04-29 11:30:32 +01:00
autogen.sh maint: detect VPATH builds when checking for gnulib update 2014-06-04 16:06:55 -06:00
bootstrap maint: update to latest gnulib 2014-01-01 06:02:47 -07:00
bootstrap.conf Add helpers for getting env vars in a setuid environment 2013-10-21 14:03:52 +01:00
cfg.mk maint: Prohibit "devname" by a syntax check rules 2014-10-01 16:39:01 +02:00
ChangeLog-old Fix typos in src/* 2014-04-21 16:49:08 -06:00
config-post.h build: fix build of virt-login-shell on systems with older gnutls 2013-10-22 09:41:50 -06:00
configure.ac configure: improve misleading libnl3-devel missing error message 2014-10-03 16:08:44 +02:00
COPYING maint: follow recommended practice for using LGPL 2013-05-20 14:15:21 -06:00
COPYING.LESSER maint: follow recommended practice for using LGPL 2013-05-20 14:15:21 -06:00
HACKING maint: tighten curly brace syntax checking 2014-09-04 15:38:00 -06:00
libvirt-lxc.pc.in Add pkg-config files for libvirt-qemu & libvirt-lxc 2014-06-23 16:17:27 +01:00
libvirt-qemu.pc.in Add pkg-config files for libvirt-qemu & libvirt-lxc 2014-06-23 16:17:27 +01:00
libvirt.pc.in Add pkg-config files for libvirt-qemu & libvirt-lxc 2014-06-23 16:17:27 +01:00
libvirt.spec.in Release of libvirt-1.2.9 2014-10-01 16:45:32 +08:00
Makefile.am examples: Introduce domtop 2014-07-18 16:39:54 +02:00
Makefile.nonreentrant maint: use LGPL correctly 2013-05-20 14:03:48 -06:00
mingw-libvirt.spec.in build: package .pc files for mingw64 2014-07-09 16:45:15 -06:00
README Correct typos in the documentation (Atsushi SAKAI) 2008-01-24 10:15:13 +00:00
README-hacking docs: update README-hacking 2014-05-06 16:20:24 -06:00
run.in Add PKG_CONFIG_PATH to run.in script. 2014-06-26 14:32:35 +01:00
TODO Update todo list file to point at bugzilla/website 2010-10-13 16:45:26 +01:00

README 

         LibVirt : simple API for virtualization

  Libvirt is a C toolkit to interact with the virtualization capabilities
of recent versions of Linux (and other OSes). It is free software
available under the GNU Lesser General Public License. Virtualization of
the Linux Operating System means the ability to run multiple instances of
Operating Systems concurrently on a single hardware system where the basic
resources are driven by a Linux instance. The library aim at providing
long term stable C API initially for the Xen paravirtualization but
should be able to integrate other virtualization mechanisms if needed.

Daniel Veillard <veillard@redhat.com>