On 01/07/2014 10:37 PM, Michal Privoznik wrote: > On 25.12.2013 08:02, Gao feng wrote: >> the unix socket /var/run/libvirt/lxc/domain.sock is not created >> under the selinux context which configured by <seclabel>. >> >> If we try to connect the domain.sock under the selinux context >> of domain in virtLXCProcessConnectMonitor,selinux will deny >> this connect operation. >> >> type=AVC msg=audit(1387953696.067:662): avc: denied { connectto } for pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket >> >> Since there is no harm to access doamin.sock outof domain's >> context, this patch removes the setsockcreatecon in >> virLXCProcessConnectMonitor. >> >> Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx> >> --- >> src/lxc/lxc_process.c | 12 ------------ >> 1 file changed, 12 deletions(-) >> >> diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c >> index cc9c1a2..b336ade 100644 >> --- a/src/lxc/lxc_process.c >> +++ b/src/lxc/lxc_process.c >> @@ -640,9 +640,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver, >> virLXCMonitorPtr monitor = NULL; >> virLXCDriverConfigPtr cfg = virLXCDriverGetConfig(driver); >> >> - if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0) >> - goto cleanup; >> - >> /* Hold an extra reference because we can't allow 'vm' to be >> * deleted while the monitor is active */ >> virObjectRef(vm); >> @@ -652,15 +649,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver, >> if (monitor == NULL) >> virObjectUnref(vm); >> >> - if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) { >> - if (monitor) { >> - virObjectUnref(monitor); >> - monitor = NULL; >> - } >> - goto cleanup; >> - } >> - >> -cleanup: >> virObjectUnref(cfg); >> return monitor; >> } >> > > This patch looks good, but just one question - shouldn't the monitor > socket be created with the correct selinux label instead? You know, the > other approach to fix this issue. > Yes, Maybe this will be better, will send v2 patch. Thanks! -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list