Re: [libvirt] [PATCH] security: dac: also label listen UNIX sockets

On 09/27/2018 05:02 PM, Ján Tomko wrote: > We switched to opening mode='bind' sockets ourselves: > commit 30fb2276d88b275dc2aad6ddd28c100d944b59a5 > qemu: support passing pre-opened UNIX socket listen FD > in v4.5.0-rc1~251 > > Then fixed qemuBuildChrChardevStr to change libvirtd's label > while creating the socket: > commit b0c6300fc42bbc3e5eb0b236392f7344581c5810 > qemu: ensure FDs passed to QEMU for chardevs have correct SELinux labels > v4.5.0-rc1~52 > > Also add labeling of these sockets to the DAC driver. > Instead of trying to figure out which one was created by libvirt, > label it if it exists. > > https://bugzilla.redhat.com/show_bug.cgi?id=1633389 > > Signed-off-by: Ján Tomko <jtomko(a)redhat.com&gt; > --- > src/security/security_dac.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) How come SELinux is not affected? We shouldn't rely on default policy doing the right thing.