commit 15073504dbb624d3f6c911e85557019d3620fdb2

Author: Daniel P. Berrangé <berrange@redhat.com>

Date:   Mon Jun 28 13:09:04 2021 +0100

​

    security: fix SELinux label generation logic

    A process can access a file if the set of MCS categories

    for the file is equal-to *or* a subset-of, the set of

    MCS categories for the process.

    If there are two VMs:

      a) svirt_t:s0:c117

      b) svirt_t:s0:c117,c720

    Then VM (b) is able to access files labelled for VM (a).

    IOW, we must discard case where the categories are equal

    because that is a subset of many other valid category pairs.

    Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153

    CVE-2021-3631

    Reviewed-by: Peter Krempa <pkrempa@redhat.com>

    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

​

Index: libvirt-7.1.0/src/security/security_selinux.c

===================================================================

--- libvirt-7.1.0.orig/src/security/security_selinux.c

+++ libvirt-7.1.0/src/security/security_selinux.c

@@ -389,7 +389,15 @@ virSecuritySELinuxMCSFind(virSecurityMan

         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);

         if (c1 == c2) {

-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);

+            /*

+             * A process can access a file if the set of MCS categories

+             * for the file is equal-to *or* a subset-of, the set of

+             * MCS categories for the process.

+             *

+             * IOW, we must discard case where the categories are equal

+             * because that is a subset of other category pairs.

+             */

+            continue;

         } else {

             if (c1 > c2) {

                 int t = c1;

​