The security_driver line in /etc/libvirt/qemu.conf is best-effort - if
selinux is not available on the host, then 'none' will be used.
The security_driver line in /etc/libvirt/lxc.conf doesn't behave the
same way - if apparmor is specified but policies are not available
on the host, then container creation fails.
This patch always tries to fall back to 'none' if the requested
driver is not available. A better patch would allow an option list
like qemu.conf allows, but this patch doesn't do that.
Signed-off-by: Serge Hallyn <serge.hallyn@xxxxxxxxxx>
---
src/lxc/lxc_driver.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index c3cd62c..233e558 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -1541,6 +1541,11 @@ lxcSecurityInit(virLXCDriverConfigPtr cfg)
cfg->securityDefaultConfined,
cfg->securityRequireConfined);
if (!mgr)
+ mgr = virSecurityManagerNew(NULL, LXC_DRIVER_NAME, false,
+ cfg->securityDefaultConfined,
+ cfg->securityRequireConfined);
+
+ if (!mgr)
goto error;
return mgr;
--
2.1.0
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list