-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/25/2013 02:39 PM, Daniel J Walsh wrote: > (2nd pass) > > > lxc-enter-namespace allows a process from outside a container to start a > process inside a container. One problem with the current code is the > process running within the container would run with the label of the > process that created it. > > For example if the admin process is running as unconfined_t and executes > the following command > > > # virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ LABEL > PID TTY TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 > pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 > pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? > 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ? > 00:00:00 dhclient staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ? > 00:00:00 ps > > Note the ps command is running as unconfined_t, After this patch, > > > virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ LABEL > PID TTY TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 > pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 > pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? > 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? > 00:00:00 dhclient system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ? > 00:00:00 ps > > I also add a --nolabel command to virsh, which can go back to the original > behaviour. > > virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ LABEL > PID TTY TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 > pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 > pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? > 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? > 00:00:00 dhclient staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 37 ? > 00:00:00 ps > > > Everything seems to be working perfectly now. > > Any comment on this? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlEL6iwACgkQrlYvE4MpobN4lACfZF6cBMngf7e9jJGuNkH9HfXC tiAAoKNC7IuHy5yNrnwKmtS104FeryVl =N0pN -----END PGP SIGNATURE----- -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list