[libvirt] [PATCH] LXC: don't set socket create selinux context in virLXCProcessConnectMonitor
Gao feng
gaofeng at cn.fujitsu.com
Wed Jan 8 02:10:44 UTC 2014
On 01/07/2014 10:37 PM, Michal Privoznik wrote:
> On 25.12.2013 08:02, Gao feng wrote:
>> the unix socket /var/run/libvirt/lxc/domain.sock is not created
>> under the selinux context which configured by <seclabel>.
>>
>> If we try to connect the domain.sock under the selinux context
>> of domain in virtLXCProcessConnectMonitor,selinux will deny
>> this connect operation.
>>
>> type=AVC msg=audit(1387953696.067:662): avc: denied { connectto } for pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>>
>> Since there is no harm to access doamin.sock outof domain's
>> context, this patch removes the setsockcreatecon in
>> virLXCProcessConnectMonitor.
>>
>> Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
>> ---
>> src/lxc/lxc_process.c | 12 ------------
>> 1 file changed, 12 deletions(-)
>>
>> diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
>> index cc9c1a2..b336ade 100644
>> --- a/src/lxc/lxc_process.c
>> +++ b/src/lxc/lxc_process.c
>> @@ -640,9 +640,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver,
>> virLXCMonitorPtr monitor = NULL;
>> virLXCDriverConfigPtr cfg = virLXCDriverGetConfig(driver);
>>
>> - if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0)
>> - goto cleanup;
>> -
>> /* Hold an extra reference because we can't allow 'vm' to be
>> * deleted while the monitor is active */
>> virObjectRef(vm);
>> @@ -652,15 +649,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver,
>> if (monitor == NULL)
>> virObjectUnref(vm);
>>
>> - if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) {
>> - if (monitor) {
>> - virObjectUnref(monitor);
>> - monitor = NULL;
>> - }
>> - goto cleanup;
>> - }
>> -
>> -cleanup:
>> virObjectUnref(cfg);
>> return monitor;
>> }
>>
>
> This patch looks good, but just one question - shouldn't the monitor
> socket be created with the correct selinux label instead? You know, the
> other approach to fix this issue.
>
Yes, Maybe this will be better, will send v2 patch.
Thanks!
More information about the libvir-list
mailing list