On Fri, Feb 21, 2014 at 02:57:28PM +0100, Cédric Bosdonnat wrote:
No security_driver value could cause weird behavior, like using
apparmor even though we don't want it.
---
src/lxc/lxc.conf | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lxc/lxc.conf b/src/lxc/lxc.conf
index 8df4601..5eb0122 100644
--- a/src/lxc/lxc.conf
+++ b/src/lxc/lxc.conf
@@ -20,6 +20,8 @@
# to 'none' instead.
#
#security_driver = "selinux"
+#security_driver = "apparmor"
+security_driver = "none"
# If set to non-zero, then the default security labeling
# will make guests confined. If set to zero, then guests
This shouldn't be required. What is supposed to happen is that
the security drivers are enabled by default, but the guests
get given a label which is disabled. eg if you have SELinux
security driver enabled, the LXC containers will get given:
<seclabel type='none' model='selinux'/>
Instead of what QEMU gets:
<seclabel type='dynamic' model='selinux'/>
The type='none' means do not confine the guest. I guess we
never added support to the apparmour driver to honour the
VIR_DOMAIN_SECLABEL_NONE value.
Regards,
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|