Re: [libvirt] [PATCH 0/8] Honour current process label when generating SELinux labels
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/16/2012 11:41 AM, Viktor Mihajlovski wrote:
On 08/10/2012 03:47 PM, Daniel P. Berrange wrote:
> This patch series makes a number of changes to the SELinux label
> generation code. This is intended to make it fully honour the current
> process label when generating VM labels, so that dynamic label generation
> works better with custom policies, or confined user accounts.
>
> -- libvir-list mailing list libvir-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>
Unfortunately I am not selinux-savvy enough to understand exactly why, but
I cannot start guests any more after pulling master.
The issue is that the virtual disk's security context (a block device in
this case) cannot be set, message shown below.
012-08-16 15:02:18.891+0000: 1536: error :
virSecuritySELinuxSetFileconHelper:652 : unable to set security context
'system_u:system_r:svirt_image_t:s0:c786,c986' on
'/dev/disk/by-path/ccw-0.0.3770-part1': Invalid argument
Prior to that the security context would have looked like this
system_u:object_r:svirt_image_t:s0:c153,c923, i.e. using object_r instead
of system_r.
I am running on RHEL 6.2, not sure whether this is relevant.
Yes the security context should be system_u:object_r:svirt_image_t:s0:c786,c986
These patches should have just affected the Process label not the file label.
On the file label we should alter the role on the file label to include object_r.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlAtMVIACgkQrlYvE4MpobMYqQCgz+d7yeXhYXTz0IGFIsRYUqJl
GGgAniHHX21m7D5BHZgeMHskS8zww4B1
=Ex2S
-----END PGP SIGNATURE-----