Due to a bug the seclabels are restored before any PID in the container is killed. This should be done afterwards in virLXCProcessCleanup. Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> --- src/lxc/lxc_process.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c index 33c806630b..a3481bfa08 100644 --- a/src/lxc/lxc_process.c +++ b/src/lxc/lxc_process.c @@ -180,6 +180,17 @@ static void virLXCProcessCleanup(virLXCDriverPtr driver, VIR_FREE(xml); } + virSecurityManagerRestoreAllLabel(driver->securityManager, + vm->def, false, false); + virSecurityManagerReleaseLabel(driver->securityManager, vm->def); + /* Clear out dynamically assigned labels */ + if (vm->def->nseclabels && + vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { + VIR_FREE(vm->def->seclabels[0]->model); + VIR_FREE(vm->def->seclabels[0]->label); + VIR_FREE(vm->def->seclabels[0]->imagelabel); + } + /* Stop autodestroy in case guest is restarted */ virCloseCallbacksUnset(driver->closeCallbacks, vm, lxcProcessAutoDestroy); @@ -836,17 +847,6 @@ int virLXCProcessStop(virLXCDriverPtr driver, priv = vm->privateData; - virSecurityManagerRestoreAllLabel(driver->securityManager, - vm->def, false, false); - virSecurityManagerReleaseLabel(driver->securityManager, vm->def); - /* Clear out dynamically assigned labels */ - if (vm->def->nseclabels && - vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { - VIR_FREE(vm->def->seclabels[0]->model); - VIR_FREE(vm->def->seclabels[0]->label); - VIR_FREE(vm->def->seclabels[0]->imagelabel); - } - /* If the LXC domain is suspended we send all processes a SIGKILL * and thaw them. Upon wakeup the process sees the pending signal * and dies immediately. It is guaranteed that priv->cgroup != NULL -- 2.19.2 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list