[libvirt] [PATCH 0/8] Honour current process label when generating SELinux labels
Viktor Mihajlovski
mihajlov at linux.vnet.ibm.com
Thu Aug 16 15:41:36 UTC 2012
On 08/10/2012 03:47 PM, Daniel P. Berrange wrote:
> This patch series makes a number of changes to the SELinux label
> generation code. This is intended to make it fully honour the
> current process label when generating VM labels, so that dynamic
> label generation works better with custom policies, or confined
> user accounts.
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>
Unfortunately I am not selinux-savvy enough to understand exactly why,
but I cannot start guests any more after pulling master.
The issue is that the virtual disk's security context (a block device in
this case) cannot be set, message shown below.
012-08-16 15:02:18.891+0000: 1536: error :
virSecuritySELinuxSetFileconHelper:652 : unable to set security context
'system_u:system_r:svirt_image_t:s0:c786,c986' on
'/dev/disk/by-path/ccw-0.0.3770-part1': Invalid argument
Prior to that the security context would have looked like this
system_u:object_r:svirt_image_t:s0:c153,c923, i.e. using object_r
instead of system_r.
I am running on RHEL 6.2, not sure whether this is relevant.
--
Mit freundlichen Grüßen/Kind Regards
Viktor Mihajlovski
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martin Jetter
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294
More information about the libvir-list
mailing list