Quoting Nathan Lynch (ntl@xxxxxxxxx): > On Wed, 2010-03-03 at 13:49 -0600, Serge E. Hallyn wrote: > > Quoting Nathan Lynch (ntl@xxxxxxxxx): > > > On Tue, 2010-03-02 at 19:19 -0600, Serge E. Hallyn wrote: > > > > Can you try the following patch? > > > > > > > > Also, to actually restore the LSM labels you need to add -k to your > > > > restart flags, but without the -k you should get a sane default > > > > security label. > > > > > > Thanks, the ipc/mq tests pass with this patch and restart -k. Without > > > -k the tests still fail in the same manner (msgrcv fails). Is that the > > > behavior you'd expect? > > > > Not really - the test runs as unconfined_u right? > > I added a ps -Z to test-mq.sh before thawing: > > # PATH=/root/cr/user-cr.git:$PATH bash test-mq.sh > Using output dir ./cr_mq_6T8KIG6 > XXX Test 1: simple restart with SYSVIPC msq > check-mq: no process killed > ../common.sh: line 45: 5173 Killed ( sleep $1; kill -s USR1 $$ ) > LABEL PID TTY TIME CMD > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4358 pts/1 00:00:00 bash > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5151 pts/1 00:00:00 bash > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5172 pts/1 00:00:00 nsexec > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5175 pts/1 00:00:00 sleep > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5178 pts/1 00:00:00 check- > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5183 pts/1 00:00:00 ps > PASS Can you try the following patch? (this is on top of the last one - I'd sent) The problem is that selinux does not assign a label to a msg_msg until you do msgsnd. So it may be best to special-case the msg_msg object type and always have it restore the msgtype. One reason *NOT* to do that woudl be that the restarter might not have msg_msg:restore permission... But pls let me know if this patch fixes your problem. thanks, -serge >From d20ab718b6ebe21a034801c461772e588b92432a Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn <serue@xxxxxxxxxx> Date: Wed, 3 Mar 2010 11:31:33 -0600 Subject: [PATCH 1/1] always restore msg_msg label Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx> --- security/security.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/security/security.c b/security/security.c index 28db976..2b147cf 100644 --- a/security/security.c +++ b/security/security.c @@ -1524,7 +1524,9 @@ int security_restore_obj(struct ckpt_ctx *ctx, void *v, int sectype, /* return if caller didn't want to restore checkpointed labels */ if (!(ctx->uflags & RESTART_KEEP_LSM)) - return 0; + /* though msg_msg label must always be restored */ + if (sectype != CKPT_SECURITY_MSG_MSG) + return 0; l = ckpt_obj_fetch(ctx, secref, CKPT_OBJ_SECURITY); if (IS_ERR(l)) -- 1.6.0.6 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
