On 25.12.2013 08:02, Gao feng wrote: > the unix socket /var/run/libvirt/lxc/domain.sock is not created > under the selinux context which configured by <seclabel>. > > If we try to connect the domain.sock under the selinux context > of domain in virtLXCProcessConnectMonitor,selinux will deny > this connect operation. > > type=AVC msg=audit(1387953696.067:662): avc: denied { connectto } for pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > Since there is no harm to access doamin.sock outof domain's > context, this patch removes the setsockcreatecon in > virLXCProcessConnectMonitor. > > Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com&gt; > --- > src/lxc/lxc_process.c | 12 ------------ > 1 file changed, 12 deletions(-) > > diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c > index cc9c1a2..b336ade 100644 > --- a/src/lxc/lxc_process.c > +++ b/src/lxc/lxc_process.c > @@ -640,9 +640,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver, > virLXCMonitorPtr monitor = NULL; > virLXCDriverConfigPtr cfg = virLXCDriverGetConfig(driver); > > - if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0) > - goto cleanup; > - > /* Hold an extra reference because we can't allow 'vm' to be > * deleted while the monitor is active */ > virObjectRef(vm); > @@ -652,15 +649,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver, > if (monitor == NULL) > virObjectUnref(vm); > > - if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) { > - if (monitor) { > - virObjectUnref(monitor); > - monitor = NULL; > - } > - goto cleanup; > - } > - > -cleanup: > virObjectUnref(cfg); > return monitor; > } > This patch looks good, but just one question - shouldn't the monitor socket be created with the correct selinux label instead? You know, the other approach to fix this issue.