On Fri, 2014-02-21 at 14:23 +0000, Daniel P. Berrange wrote: > On Fri, Feb 21, 2014 at 02:57:28PM +0100, Cédric Bosdonnat wrote: > > No security_driver value could cause weird behavior, like using > > apparmor even though we don't want it. > > --- > > src/lxc/lxc.conf | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/src/lxc/lxc.conf b/src/lxc/lxc.conf > > index 8df4601..5eb0122 100644 > > --- a/src/lxc/lxc.conf > > +++ b/src/lxc/lxc.conf > > @@ -20,6 +20,8 @@ > > # to 'none' instead. > > # > > #security_driver = "selinux" > > +#security_driver = "apparmor" > > +security_driver = "none" > > > > # If set to non-zero, then the default security labeling > > # will make guests confined. If set to zero, then guests > > This shouldn't be required. What is supposed to happen is that > the security drivers are enabled by default, but the guests > get given a label which is disabled. eg if you have SELinux > security driver enabled, the LXC containers will get given: > > <seclabel type='none' model='selinux'/> > > Instead of what QEMU gets: > > <seclabel type='dynamic' model='selinux'/> > > > The type='none' means do not confine the guest. I guess we > never added support to the apparmour driver to honour the > VIR_DOMAIN_SECLABEL_NONE value. I see. Then I'll need it add it instead of this patch. -- Cedric -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list