[libvirt] [PATCH] LXC: don't set socket create selinux context in virLXCProcessConnectMonitor
the unix socket /var/run/libvirt/lxc/domain.sock is not created under the selinux context which configured by <seclabel>. If we try to connect the domain.sock under the selinux context of domain in virtLXCProcessConnectMonitor,selinux will deny this connect operation. type=AVC msg=audit(1387953696.067:662): avc: denied { connectto } for pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Since there is no harm to access doamin.sock outof domain's context, this patch removes the setsockcreatecon in virLXCProcessConnectMonitor. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- src/lxc/lxc_process.c | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c index cc9c1a2..b336ade 100644 --- a/src/lxc/lxc_process.c +++ b/src/lxc/lxc_process.c @@ -640,9 +640,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver, virLXCMonitorPtr monitor = NULL; virLXCDriverConfigPtr cfg = virLXCDriverGetConfig(driver); - if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0) - goto cleanup; - /* Hold an extra reference because we can't allow 'vm' to be * deleted while the monitor is active */ virObjectRef(vm); @@ -652,15 +649,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver, if (monitor == NULL) virObjectUnref(vm); - if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) { - if (monitor) { - virObjectUnref(monitor); - monitor = NULL; - } - goto cleanup; - } - -cleanup: virObjectUnref(cfg); return monitor; } -- 1.8.4.2
On 25.12.2013 08:02, Gao feng wrote:
the unix socket /var/run/libvirt/lxc/domain.sock is not created under the selinux context which configured by <seclabel>.
If we try to connect the domain.sock under the selinux context of domain in virtLXCProcessConnectMonitor,selinux will deny this connect operation.
type=AVC msg=audit(1387953696.067:662): avc: denied { connectto } for pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Since there is no harm to access doamin.sock outof domain's context, this patch removes the setsockcreatecon in virLXCProcessConnectMonitor.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- src/lxc/lxc_process.c | 12 ------------ 1 file changed, 12 deletions(-)
diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c index cc9c1a2..b336ade 100644 --- a/src/lxc/lxc_process.c +++ b/src/lxc/lxc_process.c @@ -640,9 +640,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver, virLXCMonitorPtr monitor = NULL; virLXCDriverConfigPtr cfg = virLXCDriverGetConfig(driver);
- if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0) - goto cleanup; - /* Hold an extra reference because we can't allow 'vm' to be * deleted while the monitor is active */ virObjectRef(vm); @@ -652,15 +649,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver, if (monitor == NULL) virObjectUnref(vm);
- if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) { - if (monitor) { - virObjectUnref(monitor); - monitor = NULL; - } - goto cleanup; - } - -cleanup: virObjectUnref(cfg); return monitor; }
This patch looks good, but just one question - shouldn't the monitor socket be created with the correct selinux label instead? You know, the other approach to fix this issue. Michal
On 01/07/2014 10:37 PM, Michal Privoznik wrote:
On 25.12.2013 08:02, Gao feng wrote:
the unix socket /var/run/libvirt/lxc/domain.sock is not created under the selinux context which configured by <seclabel>.
If we try to connect the domain.sock under the selinux context of domain in virtLXCProcessConnectMonitor,selinux will deny this connect operation.
type=AVC msg=audit(1387953696.067:662): avc: denied { connectto } for pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Since there is no harm to access doamin.sock outof domain's context, this patch removes the setsockcreatecon in virLXCProcessConnectMonitor.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- src/lxc/lxc_process.c | 12 ------------ 1 file changed, 12 deletions(-)
diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c index cc9c1a2..b336ade 100644 --- a/src/lxc/lxc_process.c +++ b/src/lxc/lxc_process.c @@ -640,9 +640,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver, virLXCMonitorPtr monitor = NULL; virLXCDriverConfigPtr cfg = virLXCDriverGetConfig(driver);
- if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0) - goto cleanup; - /* Hold an extra reference because we can't allow 'vm' to be * deleted while the monitor is active */ virObjectRef(vm); @@ -652,15 +649,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver, if (monitor == NULL) virObjectUnref(vm);
- if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) { - if (monitor) { - virObjectUnref(monitor); - monitor = NULL; - } - goto cleanup; - } - -cleanup: virObjectUnref(cfg); return monitor; }
This patch looks good, but just one question - shouldn't the monitor socket be created with the correct selinux label instead? You know, the other approach to fix this issue.
Yes, Maybe this will be better, will send v2 patch. Thanks!
participants (2)
-
Gao feng -
Michal Privoznik