From afba32b897ff7e4b75e8837f60c382ac4bb6efb7 Mon Sep 17 00:00:00 2001 From: Gao feng Date: Wed, 8 Jan 2014 11:03:01 +0800 Subject: [PATCH] LXC: create monitor socket under selinux context of domain the unix socket /var/run/libvirt/lxc/domain.sock is not created under the selinux context which configured by . If we try to connect the domain.sock under the selinux context of domain in virtLXCProcessConnectMonitor,selinux will deny this connect operation. type=AVC msg=audit(1387953696.067:662): avc: denied { connectto } for pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket fix this problem by creating socket under selinux context of domain. Signed-off-by: Gao feng --- src/lxc/lxc_controller.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index a2ae59904c..5ca960f13e 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -745,6 +745,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl) ctrl))) goto error; + if (virSecurityManagerSetSocketLabel(ctrl->securityManager, ctrl->def) < 0) + goto error; + if (!(svc = virNetServerServiceNewUNIX(sockpath, 0700, 0, @@ -757,6 +760,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl) 5))) goto error; + if (virSecurityManagerClearSocketLabel(ctrl->securityManager, ctrl->def) < 0) + goto error; + if (virNetServerAddService(ctrl->server, svc, NULL) < 0) goto error; virObjectUnref(svc); -- GitLab