On 19.09.2014 18:14, Serge Hallyn wrote:
The security_driver line in /etc/libvirt/qemu.conf is best-effort - if
selinux is not available on the host, then 'none' will be used.
The security_driver line in /etc/libvirt/lxc.conf doesn't behave the
same way - if apparmor is specified but policies are not available
on the host, then container creation fails.
This patch always tries to fall back to 'none' if the requested
driver is not available. A better patch would allow an option list
like qemu.conf allows, but this patch doesn't do that.
Signed-off-by: Serge Hallyn <serge.hallyn@xxxxxxxxxx>
---
src/lxc/lxc_driver.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index c3cd62c..233e558 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -1541,6 +1541,11 @@ lxcSecurityInit(virLXCDriverConfigPtr cfg)
cfg->securityDefaultConfined,
cfg->securityRequireConfined);
if (!mgr)
+ mgr = virSecurityManagerNew(NULL, LXC_DRIVER_NAME, false,
+ cfg->securityDefaultConfined,
+ cfg->securityRequireConfined);
+
+ if (!mgr)
goto error;
return mgr;
IIUC the code, the new sec manager is created from
cfg->securityDriverName which has no default value. It contains only
what user specified in lxc.conf. Well, if user sets apparmor there but
it's not available for whatever reason, we must fail and not workaround it.
Michal
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list