Re: This patch adds the label to lxc-enter-namespace

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/25/2013 02:39 PM, Daniel J Walsh wrote:
> (2nd pass)
> 
> 
> lxc-enter-namespace  allows a process from outside a container to start a 
> process inside a container.  One problem with the current code is the
> process running within the container would run with the label of the
> process that created it.
> 
> For example if the admin process is running as unconfined_t and executes
> the following command
> 
> 
> # virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ LABEL
> PID TTY          TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1
> pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3
> pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ?
> 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ?
> 00:00:00 dhclient staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ?
> 00:00:00 ps
> 
> Note the ps command is running as unconfined_t,  After this patch,
> 
> 
> virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ LABEL
> PID TTY          TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1
> pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3
> pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ?
> 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ?
> 00:00:00 dhclient system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ?
> 00:00:00 ps
> 
> I also add a --nolabel command to virsh, which can go back to the original 
> behaviour.
> 
> virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ LABEL
> PID TTY          TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1
> pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3
> pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ?
> 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ?
> 00:00:00 dhclient staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 37 ?
> 00:00:00 ps
> 
> 
> Everything seems to be working perfectly now.
> 
> 


Any comment on this?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlEL6iwACgkQrlYvE4MpobN4lACfZF6cBMngf7e9jJGuNkH9HfXC
tiAAoKNC7IuHy5yNrnwKmtS104FeryVl
=N0pN
-----END PGP SIGNATURE-----

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]