[libvirt] [PATCH] LXC: create monitor socket under selinux context of domain
Gao feng
gaofeng at cn.fujitsu.com
Wed Jan 8 03:03:01 UTC 2014
the unix socket /var/run/libvirt/lxc/domain.sock is not created
under the selinux context which configured by <seclabel>.
If we try to connect the domain.sock under the selinux context
of domain in virtLXCProcessConnectMonitor,selinux will deny
this connect operation.
type=AVC msg=audit(1387953696.067:662): avc: denied { connectto } for pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
fix this problem by creating socket under selinux context of domain.
Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
---
src/lxc/lxc_controller.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index a2ae599..5ca960f 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -745,6 +745,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl)
ctrl)))
goto error;
+ if (virSecurityManagerSetSocketLabel(ctrl->securityManager, ctrl->def) < 0)
+ goto error;
+
if (!(svc = virNetServerServiceNewUNIX(sockpath,
0700,
0,
@@ -757,6 +760,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl)
5)))
goto error;
+ if (virSecurityManagerClearSocketLabel(ctrl->securityManager, ctrl->def) < 0)
+ goto error;
+
if (virNetServerAddService(ctrl->server, svc, NULL) < 0)
goto error;
virObjectUnref(svc);
--
1.8.4.2
More information about the libvir-list
mailing list