From: Daniel Walsh <dwalsh@xxxxxxxxxx>
The SELinux policy for LXC uses a different confinguration file
to the traditional svirt one. Thus we need to load
/etc/selinux/targeted/contexts/lxc_contexts which contains
something like this:
process = "system_u:system_r:svirt_lxc_net_t:s0"
file = "system_u:object_r:svirt_lxc_file_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
cleverly designed to be parsable by virConfPtr
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
src/security/security_selinux.c | 80 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 79 insertions(+), 1 deletion(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 7202e71..dd6aee9 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -126,8 +126,73 @@ err:
return newcontext;
}
+
static int
-SELinuxInitialize(virSecurityManagerPtr mgr)
+SELinuxLXCInitialize(virSecurityManagerPtr mgr)
+{
+ virConfValuePtr scon = NULL;
+ virConfValuePtr tcon = NULL;
+ virConfValuePtr dcon = NULL;
+ virConfPtr selinux_conf;
+ virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
+
+ selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
+ if (!selinux_conf) {
+ virReportSystemError(errno,
+ _("cannot open SELinux lxc contexts file '%s'"),
+ selinux_lxc_contexts_path());
+ return -1;
+ }
+
+ scon = virConfGetValue(selinux_conf, "process");
+ if (! scon || scon->type != VIR_CONF_STRING || (! scon->str)) {
+ virReportSystemError(errno,
+ _("cannot read 'process' value from selinux lxc contexts file '%s'"),
+ selinux_lxc_contexts_path());
+ goto error;
+ }
+
+ tcon = virConfGetValue(selinux_conf, "file");
+ if (! tcon || tcon->type != VIR_CONF_STRING || (! tcon->str)) {
+ virReportSystemError(errno,
+ _("cannot read 'file' value from selinux lxc contexts file '%s'"),
+ selinux_lxc_contexts_path());
+ goto error;
+ }
+
+ dcon = virConfGetValue(selinux_conf, "content");
+ if (! dcon || dcon->type != VIR_CONF_STRING || (! dcon->str)) {
+ virReportSystemError(errno,
+ _("cannot read 'file' value from selinux lxc contexts file '%s'"),
+ selinux_lxc_contexts_path());
+ goto error;
+ }
+
+ data->domain_context = strdup(scon->str);
+ data->file_context = strdup(tcon->str);
+ data->content_context = strdup(dcon->str);
+ if (!data->domain_context ||
+ !data->file_context ||
+ !data->content_context) {
+ virReportSystemError(errno,
+ _("cannot allocate memory for LXC SELinux contexts '%s'"),
+ selinux_lxc_contexts_path());
+ goto error;
+ }
+ virConfFree(selinux_conf);
+ return 0;
+
+error:
+ virConfFree(selinux_conf);
+ VIR_FREE(data->domain_context);
+ VIR_FREE(data->file_context);
+ VIR_FREE(data->content_context);
+ return -1;
+}
+
+
+static int
+SELinuxQEMUInitialize(virSecurityManagerPtr mgr)
{
char *ptr;
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
@@ -170,6 +235,19 @@ error:
return -1;
}
+
+static int
+SELinuxInitialize(virSecurityManagerPtr mgr)
+{
+ VIR_DEBUG("SELinuxInitialize %s", virSecurityManagerGetDriver(mgr));
+ if (STREQ(virSecurityManagerGetDriver(mgr), "LXC")) {
+ return SELinuxLXCInitialize(mgr);
+ } else {
+ return SELinuxQEMUInitialize(mgr);
+ }
+}
+
+
static int
SELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def)
--
1.7.10.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list