SELinux labels change in libvirt
Ram Lavi
ralavi at redhat.com
Tue Jul 14 12:21:17 UTC 2020
Hello all,
tl;dr, can you point me to the point in the libvirt repo where it's trying
to change a tap-device's SELinux label?
I am trying to create a tap device with libvirt on a
super-privileged container, and then use it on another,
unprivileged container with libvirt.
User wise, I know I need the super-privileged container to open the tap
device with the user of the unprivileged one - that I already did and it's
not the issue.
But I have a problem when I open the tap device in the
non-privileged container: the tap device currently has the spc_t label
since the tun_socket inherited the selinux context from the
super-privileged container who creates it. then libvirt is trying to change
the SELinux labels, and since it's not privileged then it fails.
But I didn't find where and how libvirt is trying to change the tap
device's label.
Can you point me to that specific code on libvirt?
Ram Lavi
Senior Software Engineer
Red Hat Israel <https://www.redhat.com/>
Yerushalaim Road 34, Ra'anana
ralavi at redhat.com IM: ralavi
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://www.redhat.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20200714/4e965e43/attachment.htm>
More information about the libvirt-users
mailing list