From: "Daniel P. Berrange" <berrange(a)redhat.com&gt; If an LXC domain failed to start because of a bogus SELinux label, virLXCProcessStart would call VIR_CLOSE(0) by mistake. This is because the code which initializes the member of the ttyFDs array to -1 got moved too far away from the place where the array is first allocated. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com&gt; --- src/lxc/lxc_process.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c index cad6402..942d375 100644 --- a/src/lxc/lxc_process.c +++ b/src/lxc/lxc_process.c @@ -1077,6 +1077,8 @@ int virLXCProcessStart(virConnectPtr conn, virReportOOMError(); goto cleanup; } + for (i = 0 ; i < vm->def->nconsoles ; i++) + ttyFDs[i] = -1; /* If you are using a SecurityDriver with dynamic labelling, then generate a security label for isolation */ @@ -1096,9 +1098,6 @@ int virLXCProcessStart(virConnectPtr conn, vm->def, NULL) < 0) goto cleanup; - for (i = 0 ; i < vm->def->nconsoles ; i++) - ttyFDs[i] = -1; - for (i = 0 ; i < vm->def->nconsoles ; i++) { char *ttyPath; if (vm->def->consoles[i]->source.type != VIR_DOMAIN_CHR_TYPE_PTY) { -- 1.8.1.4