Re: [libvirt] This patch adds the label to lxc-enter-namespace
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/25/2013 02:39 PM, Daniel J Walsh wrote:
(2nd pass)
lxc-enter-namespace allows a process from outside a container to start a
process inside a container. One problem with the current code is the
process running within the container would run with the label of the
process that created it.
For example if the admin process is running as unconfined_t and executes
the following command
# virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ LABEL
PID TTY TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1
pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3
pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ?
00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ?
00:00:00 dhclient staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ?
00:00:00 ps
Note the ps command is running as unconfined_t, After this patch,
virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ LABEL
PID TTY TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1
pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3
pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ?
00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ?
00:00:00 dhclient system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ?
00:00:00 ps
I also add a --nolabel command to virsh, which can go back to the original
behaviour.
virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ LABEL
PID TTY TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1
pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3
pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ?
00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ?
00:00:00 dhclient staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 37 ?
00:00:00 ps
Everything seems to be working perfectly now.
Any comment on this?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlEL6iwACgkQrlYvE4MpobN4lACfZF6cBMngf7e9jJGuNkH9HfXC
tiAAoKNC7IuHy5yNrnwKmtS104FeryVl
=N0pN
-----END PGP SIGNATURE-----