Commit 15073504 authored by Daniel P. Berrangé's avatar Daniel P. Berrangé 💬
Browse files

security: fix SELinux label generation logic

A process can access a file if the set of MCS categories
for the file is equal-to *or* a subset-of, the set of
MCS categories for the process.

If there are two VMs:

  a) svirt_t:s0:c117
  b) svirt_t:s0:c117,c720

Then VM (b) is able to access files labelled for VM (a).

IOW, we must discard case where the categories are equal
because that is a subset of many other valid category pairs.

Fixes: #153


CVE-2021-3631
Reviewed-by: Peter Krempa's avatarPeter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé's avatarDaniel P. Berrangé <berrange@redhat.com>
parent f63397de
......@@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr,
VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
if (c1 == c2) {
mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
/*
* A process can access a file if the set of MCS categories
* for the file is equal-to *or* a subset-of, the set of
* MCS categories for the process.
*
* IOW, we must discard case where the categories are equal
* because that is a subset of other category pairs.
*/
continue;
} else {
if (c1 > c2) {
int t = c1;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment