[libvirt] [PATCH] LXC: don't set socket create selinux context in virLXCProcessConnectMonitor
Michal Privoznik
mprivozn at redhat.com
Tue Jan 7 14:37:11 UTC 2014
On 25.12.2013 08:02, Gao feng wrote:
> the unix socket /var/run/libvirt/lxc/domain.sock is not created
> under the selinux context which configured by <seclabel>.
>
> If we try to connect the domain.sock under the selinux context
> of domain in virtLXCProcessConnectMonitor,selinux will deny
> this connect operation.
>
> type=AVC msg=audit(1387953696.067:662): avc: denied { connectto } for pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> Since there is no harm to access doamin.sock outof domain's
> context, this patch removes the setsockcreatecon in
> virLXCProcessConnectMonitor.
>
> Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
> ---
> src/lxc/lxc_process.c | 12 ------------
> 1 file changed, 12 deletions(-)
>
> diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
> index cc9c1a2..b336ade 100644
> --- a/src/lxc/lxc_process.c
> +++ b/src/lxc/lxc_process.c
> @@ -640,9 +640,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver,
> virLXCMonitorPtr monitor = NULL;
> virLXCDriverConfigPtr cfg = virLXCDriverGetConfig(driver);
>
> - if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0)
> - goto cleanup;
> -
> /* Hold an extra reference because we can't allow 'vm' to be
> * deleted while the monitor is active */
> virObjectRef(vm);
> @@ -652,15 +649,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver,
> if (monitor == NULL)
> virObjectUnref(vm);
>
> - if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) {
> - if (monitor) {
> - virObjectUnref(monitor);
> - monitor = NULL;
> - }
> - goto cleanup;
> - }
> -
> -cleanup:
> virObjectUnref(cfg);
> return monitor;
> }
>
This patch looks good, but just one question - shouldn't the monitor
socket be created with the correct selinux label instead? You know, the
other approach to fix this issue.
Michal
More information about the libvir-list
mailing list