
On 03/13/2013 12:04 PM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Normally libvirtd should run with a SELinux label
system_u:system_r:virtd_t:s0-s0:c0.c1023
If a user manually runs libvirtd though, it is sometimes possible to get into a situation where it is running
system_u:system_r:init_t:s0
The SELinux security driver isn't expecting this and can't parse the security label since it lacks the ':c0.c1023' part causing it to complain
internal error Cannot parse sensitivity level in s0
This updates the parser to cope with this, so if no category is present, libvirtd will hardcode the equivalent of c0.c1023.
Now this won't work if SELinux is in Enforcing mode, but that's not an issue, because the user can only get into this problem if in Permissive mode. This means they can now start VMs in Permissive mode without hitting that parsing error
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/security/security_selinux.c | 38 +++++++++++++++++++++++++++++--------- tests/securityselinuxtest.c | 12 ++++++++++++ 2 files changed, 41 insertions(+), 9 deletions(-)
ACK.
+ * + * In the first two cases, we'll assume c0.c1023 for + * the category part, since that's what we're really + * interested in. This won't work in Enforcing mode, + * but will prevent libvirtd breaking in Permissive + * mode when run with a wierd procss label.
s/wierd procss/weird process/ -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org