[libvirt] [PATCH 3/5] Set default lxc security_driver to none

Cedric Bosdonnat cbosdonnat at suse.com
Fri Feb 21 15:30:37 UTC 2014


On Fri, 2014-02-21 at 14:23 +0000, Daniel P. Berrange wrote:
> On Fri, Feb 21, 2014 at 02:57:28PM +0100, Cédric Bosdonnat wrote:
> > No security_driver value could cause weird behavior, like using
> > apparmor even though we don't want it.
> > ---
> >  src/lxc/lxc.conf | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/src/lxc/lxc.conf b/src/lxc/lxc.conf
> > index 8df4601..5eb0122 100644
> > --- a/src/lxc/lxc.conf
> > +++ b/src/lxc/lxc.conf
> > @@ -20,6 +20,8 @@
> >  # to 'none' instead.
> >  #
> >  #security_driver = "selinux"
> > +#security_driver = "apparmor"
> > +security_driver = "none"
> >  
> >  # If set to non-zero, then the default security labeling
> >  # will make guests confined. If set to zero, then guests
> 
> This shouldn't be required. What is supposed to happen is that
> the security drivers are enabled by default, but the guests
> get given a label which is disabled. eg if you have SELinux
> security driver enabled, the LXC containers will get given:
> 
>   <seclabel type='none' model='selinux'/>
> 
> Instead of what QEMU gets:
> 
>   <seclabel type='dynamic' model='selinux'/>
> 
> 
> The type='none' means do not confine the guest.  I guess we
> never added support to the apparmour driver to honour the
> VIR_DOMAIN_SECLABEL_NONE value.

I see. Then I'll need it add it instead of this patch.

--
Cedric




More information about the libvir-list mailing list