On 03/13/2013 12:04 PM, Daniel P. Berrange wrote: > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> > > Normally libvirtd should run with a SELinux label > > system_u:system_r:virtd_t:s0-s0:c0.c1023 > > If a user manually runs libvirtd though, it is sometimes > possible to get into a situation where it is running > > system_u:system_r:init_t:s0 > > The SELinux security driver isn't expecting this and can't > parse the security label since it lacks the ':c0.c1023' part > causing it to complain > > internal error Cannot parse sensitivity level in s0 > > This updates the parser to cope with this, so if no category > is present, libvirtd will hardcode the equivalent of c0.c1023. > > Now this won't work if SELinux is in Enforcing mode, but that's > not an issue, because the user can only get into this problem > if in Permissive mode. This means they can now start VMs in > Permissive mode without hitting that parsing error > > Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> > --- > src/security/security_selinux.c | 38 +++++++++++++++++++++++++++++--------- > tests/securityselinuxtest.c | 12 ++++++++++++ > 2 files changed, 41 insertions(+), 9 deletions(-) ACK. > + * > + * In the first two cases, we'll assume c0.c1023 for > + * the category part, since that's what we're really > + * interested in. This won't work in Enforcing mode, > + * but will prevent libvirtd breaking in Permissive > + * mode when run with a wierd procss label. s/wierd procss/weird process/ -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list