On 08.01.2014 04:03, Gao feng wrote:
> the unix socket /var/run/libvirt/lxc/domain.sock is not created
> under the selinux context which configured by <seclabel>.
>
> If we try to connect the domain.sock under the selinux context
> of domain in virtLXCProcessConnectMonitor,selinux will deny
> this connect operation.
>
> type=AVC msg=audit(1387953696.067:662): avc: denied { connectto } for pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> fix this problem by creating socket under selinux context of domain.
>
> Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
> ---
> src/lxc/lxc_controller.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
> index a2ae599..5ca960f 100644
> --- a/src/lxc/lxc_controller.c
> +++ b/src/lxc/lxc_controller.c
> @@ -745,6 +745,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl)
> ctrl)))
> goto error;
>
> + if (virSecurityManagerSetSocketLabel(ctrl->securityManager, ctrl->def) < 0)
> + goto error;
> +
> if (!(svc = virNetServerServiceNewUNIX(sockpath,
> 0700,
> 0,
> @@ -757,6 +760,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl)
> 5)))
> goto error;
>
> + if (virSecurityManagerClearSocketLabel(ctrl->securityManager, ctrl->def) < 0)
> + goto error;
> +
> if (virNetServerAddService(ctrl->server, svc, NULL) < 0)
> goto error;
> virObjectUnref(svc);
>
ACKed & pushed.
Michal
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list