On 25.12.2013 08:02, Gao feng wrote:
the unix socket /var/run/libvirt/lxc/domain.sock is not created
under the selinux context which configured by <seclabel>.
If we try to connect the domain.sock under the selinux context
of domain in virtLXCProcessConnectMonitor,selinux will deny
this connect operation.
type=AVC msg=audit(1387953696.067:662): avc: denied { connectto } for pid=21206
comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock"
scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848
tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Since there is no harm to access doamin.sock outof domain's
context, this patch removes the setsockcreatecon in
virLXCProcessConnectMonitor.
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
---
src/lxc/lxc_process.c | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
index cc9c1a2..b336ade 100644
--- a/src/lxc/lxc_process.c
+++ b/src/lxc/lxc_process.c
@@ -640,9 +640,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr
driver,
virLXCMonitorPtr monitor = NULL;
virLXCDriverConfigPtr cfg = virLXCDriverGetConfig(driver);
- if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) <
0)
- goto cleanup;
-
/* Hold an extra reference because we can't allow 'vm' to be
* deleted while the monitor is active */
virObjectRef(vm);
@@ -652,15 +649,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr
driver,
if (monitor == NULL)
virObjectUnref(vm);
- if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) <
0) {
- if (monitor) {
- virObjectUnref(monitor);
- monitor = NULL;
- }
- goto cleanup;
- }
-
-cleanup:
virObjectUnref(cfg);
return monitor;
}
This patch looks good, but just one question - shouldn't the monitor
socket be created with the correct selinux label instead? You know, the
other approach to fix this issue.
Michal