[libvirt] [PATCH] LXC: don't set socket create selinux context in virLXCProcessConnectMonitor

Gao feng gaofeng at cn.fujitsu.com
Wed Jan 8 02:10:44 UTC 2014 

On 01/07/2014 10:37 PM, Michal Privoznik wrote:
> On 25.12.2013 08:02, Gao feng wrote:
>> the unix socket /var/run/libvirt/lxc/domain.sock is not created
>> under the selinux context which configured by <seclabel>.
>>
>> If we try to connect the domain.sock under the selinux context
>> of domain in virtLXCProcessConnectMonitor,selinux will deny
>> this connect operation.
>>
>> type=AVC msg=audit(1387953696.067:662): avc:  denied  { connectto } for  pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>>
>> Since there is no harm to access doamin.sock outof domain's
>> context, this patch removes the setsockcreatecon in
>> virLXCProcessConnectMonitor.
>>
>> Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
>> ---
>>  src/lxc/lxc_process.c | 12 ------------
>>  1 file changed, 12 deletions(-)
>>
>> diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
>> index cc9c1a2..b336ade 100644
>> --- a/src/lxc/lxc_process.c
>> +++ b/src/lxc/lxc_process.c
>> @@ -640,9 +640,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver,
>>      virLXCMonitorPtr monitor = NULL;
>>      virLXCDriverConfigPtr cfg = virLXCDriverGetConfig(driver);
>>  
>> -    if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0)
>> -        goto cleanup;
>> -
>>      /* Hold an extra reference because we can't allow 'vm' to be
>>       * deleted while the monitor is active */
>>      virObjectRef(vm);
>> @@ -652,15 +649,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver,
>>      if (monitor == NULL)
>>          virObjectUnref(vm);
>>  
>> -    if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) {
>> -        if (monitor) {
>> -            virObjectUnref(monitor);
>> -            monitor = NULL;
>> -        }
>> -        goto cleanup;
>> -    }
>> -
>> -cleanup:
>>      virObjectUnref(cfg);
>>      return monitor;
>>  }
>>
> 
> This patch looks good, but just one question - shouldn't the monitor
> socket be created with the correct selinux label instead? You know, the
> other approach to fix this issue.
> 

Yes, Maybe this will be better, will send v2 patch.
Thanks!

More information about the libvir-list mailing list