[libvirt] [PATCH 3/5] Set default lxc security_driver to none

Daniel P. Berrange berrange at redhat.com
Fri Feb 21 14:23:20 UTC 2014


On Fri, Feb 21, 2014 at 02:57:28PM +0100, Cédric Bosdonnat wrote:
> No security_driver value could cause weird behavior, like using
> apparmor even though we don't want it.
> ---
>  src/lxc/lxc.conf | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/src/lxc/lxc.conf b/src/lxc/lxc.conf
> index 8df4601..5eb0122 100644
> --- a/src/lxc/lxc.conf
> +++ b/src/lxc/lxc.conf
> @@ -20,6 +20,8 @@
>  # to 'none' instead.
>  #
>  #security_driver = "selinux"
> +#security_driver = "apparmor"
> +security_driver = "none"
>  
>  # If set to non-zero, then the default security labeling
>  # will make guests confined. If set to zero, then guests

This shouldn't be required. What is supposed to happen is that
the security drivers are enabled by default, but the guests
get given a label which is disabled. eg if you have SELinux
security driver enabled, the LXC containers will get given:

  <seclabel type='none' model='selinux'/>

Instead of what QEMU gets:

  <seclabel type='dynamic' model='selinux'/>


The type='none' means do not confine the guest.  I guess we
never added support to the apparmour driver to honour the
VIR_DOMAIN_SECLABEL_NONE value.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list