On Fri, Feb 21, 2014 at 02:57:28PM +0100, Cédric Bosdonnat wrote: > No security_driver value could cause weird behavior, like using > apparmor even though we don't want it. > --- > src/lxc/lxc.conf | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/src/lxc/lxc.conf b/src/lxc/lxc.conf > index 8df4601..5eb0122 100644 > --- a/src/lxc/lxc.conf > +++ b/src/lxc/lxc.conf > @@ -20,6 +20,8 @@ > # to 'none' instead. > # > #security_driver = "selinux" > +#security_driver = "apparmor" > +security_driver = "none" > > # If set to non-zero, then the default security labeling > # will make guests confined. If set to zero, then guests This shouldn't be required. What is supposed to happen is that the security drivers are enabled by default, but the guests get given a label which is disabled. eg if you have SELinux security driver enabled, the LXC containers will get given: <seclabel type='none' model='selinux'/> Instead of what QEMU gets: <seclabel type='dynamic' model='selinux'/> The type='none' means do not confine the guest. I guess we never added support to the apparmour driver to honour the VIR_DOMAIN_SECLABEL_NONE value. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list