On Mon, Oct 01, 2018 at 10:34:38AM +0200, Michal Privoznik wrote:
On 09/27/2018 05:02 PM, Ján Tomko wrote:We switched to opening mode='bind' sockets ourselves: commit 30fb2276d88b275dc2aad6ddd28c100d944b59a5 qemu: support passing pre-opened UNIX socket listen FD in v4.5.0-rc1~251 Then fixed qemuBuildChrChardevStr to change libvirtd's label while creating the socket: commit b0c6300fc42bbc3e5eb0b236392f7344581c5810 qemu: ensure FDs passed to QEMU for chardevs have correct SELinux labels v4.5.0-rc1~52 Also add labeling of these sockets to the DAC driver. Instead of trying to figure out which one was created by libvirt, label it if it exists. https://bugzilla.redhat.com/show_bug.cgi?id=1633389 Signed-off-by: Ján Tomko <jtomko@xxxxxxxxxx> --- src/security/security_dac.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)How come SELinux is not affected? We shouldn't rely on default policy doing the right thing.
As mentioned in the commit message, the SELinux label is set before the socket creation since the commit mentioned in the commit message. Jano
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
