[libvirt] [PATCH 0/8] Honour current process label when generating SELinux labels
Daniel J Walsh
dwalsh at redhat.com
Thu Aug 16 17:43:46 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/16/2012 11:41 AM, Viktor Mihajlovski wrote:
> On 08/10/2012 03:47 PM, Daniel P. Berrange wrote:
>> This patch series makes a number of changes to the SELinux label
>> generation code. This is intended to make it fully honour the current
>> process label when generating VM labels, so that dynamic label generation
>> works better with custom policies, or confined user accounts.
>>
>> -- libvir-list mailing list libvir-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/libvir-list
>>
>
> Unfortunately I am not selinux-savvy enough to understand exactly why, but
> I cannot start guests any more after pulling master.
>
> The issue is that the virtual disk's security context (a block device in
> this case) cannot be set, message shown below.
>
> 012-08-16 15:02:18.891+0000: 1536: error :
> virSecuritySELinuxSetFileconHelper:652 : unable to set security context
> 'system_u:system_r:svirt_image_t:s0:c786,c986' on
> '/dev/disk/by-path/ccw-0.0.3770-part1': Invalid argument
>
> Prior to that the security context would have looked like this
> system_u:object_r:svirt_image_t:s0:c153,c923, i.e. using object_r instead
> of system_r.
>
> I am running on RHEL 6.2, not sure whether this is relevant.
>
Yes the security context should be system_u:object_r:svirt_image_t:s0:c786,c986
These patches should have just affected the Process label not the file label.
On the file label we should alter the role on the file label to include object_r.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlAtMVIACgkQrlYvE4MpobMYqQCgz+d7yeXhYXTz0IGFIsRYUqJl
GGgAniHHX21m7D5BHZgeMHskS8zww4B1
=Ex2S
-----END PGP SIGNATURE-----
More information about the libvir-list
mailing list