[libvirt] [libvirt-sandbox PATCH 1/2] virt-sandbox-service: check for security label only if they can be handled

Monday, 7 July 2014

virt-sandbox-service assumes libvirt has selinux security model...
which is not necessarily the case. If no security model is defined,
then don't check for dynamic labels.
---
 bin/virt-sandbox-service | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service
index 9ed37e0..789c732 100755
--- a/bin/virt-sandbox-service
+++ b/bin/virt-sandbox-service
@@ -314,10 +314,32 @@ class Container:
         context = self.context()
         context.undefine()
 
+    def get_security_model(self):
+        # XXX selinux is the default for the while, needs to be configurable someday
+        model = "selinux"
+        supported = False
+
+        # Make sure we have a connection
+        self.connect()
+
+        # Loop over the security models from the host capabilities
+        configCaps = self.conn.get_capabilities()
+        hostCaps = configCaps.get_host()
+        secmodels = hostCaps.get_secmodels()
+        for secmodel in secmodels:
+            if secmodel.get_model() == model:
+                supported = True
+                break
+
+        if not supported:
+            model = None
+        return model
+
 
     def create(self):
         self.connect()
-        if self.config.get_security_dynamic() and not self.use_image:
+        if self.get_security_model() is not None and \
+           self.config.get_security_dynamic() and not self.use_image:
             raise ValueError([_("Dynamic security label only supported for image
based containers")])
         if self.uri != "lxc:///":
             self.config.set_shell(True)
-- 
1.8.4.5


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [libvirt-sandbox PATCH 1/2] virt-sandbox-service: check for security label only if they can be handled