On 10/17/2012 04:30 PM, Daniel P. Berrange wrote:
On Wed, Oct 17, 2012 at 11:32:45AM +0800, Guannan Ren wrote:
It should relabel tapfd of virtual network of type VIR_DOMAIN_NET_TYPE_DIRECT
rather than VIR_DOMAIN_NET_TYPE_NETWORK and VIR_DOMAIN_NET_TYPE_BRIDGE
(commit ae368ebfcc4923d0b32e83d4ca96a6f599625785 introduced this bug)
Why ? IMHO, if we're going to trouble of relabelling TAP file descriptors
with a MCS category, we should relabel *all* of them.
Daniel
Eric met a such AVC denied in this case where /dev/net/tun is
relabelled with MCS.
"libvirtd would now be assigning a label to /dev/net/tun, which
makes it impossible
for anyone else (like openvpn) to also open a tun device."
type=AVC msg=audit(1350411375.542:759325): avc: denied { read } for
pid=4773
comm="openvpn" path="/dev/net/tun" dev=devtmpfs ino=9557
scontext=system_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:tun_tap_device_t:s0:c1,c489
tclass=chr_file
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list