[libvirt] [PATCH 3/5] Set default lxc security_driver to none
Cedric Bosdonnat
cbosdonnat at suse.com
Fri Feb 21 15:30:37 UTC 2014
On Fri, 2014-02-21 at 14:23 +0000, Daniel P. Berrange wrote:
> On Fri, Feb 21, 2014 at 02:57:28PM +0100, Cédric Bosdonnat wrote:
> > No security_driver value could cause weird behavior, like using
> > apparmor even though we don't want it.
> > ---
> > src/lxc/lxc.conf | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/src/lxc/lxc.conf b/src/lxc/lxc.conf
> > index 8df4601..5eb0122 100644
> > --- a/src/lxc/lxc.conf
> > +++ b/src/lxc/lxc.conf
> > @@ -20,6 +20,8 @@
> > # to 'none' instead.
> > #
> > #security_driver = "selinux"
> > +#security_driver = "apparmor"
> > +security_driver = "none"
> >
> > # If set to non-zero, then the default security labeling
> > # will make guests confined. If set to zero, then guests
>
> This shouldn't be required. What is supposed to happen is that
> the security drivers are enabled by default, but the guests
> get given a label which is disabled. eg if you have SELinux
> security driver enabled, the LXC containers will get given:
>
> <seclabel type='none' model='selinux'/>
>
> Instead of what QEMU gets:
>
> <seclabel type='dynamic' model='selinux'/>
>
>
> The type='none' means do not confine the guest. I guess we
> never added support to the apparmour driver to honour the
> VIR_DOMAIN_SECLABEL_NONE value.
I see. Then I'll need it add it instead of this patch.
--
Cedric
More information about the libvir-list
mailing list