提交 afba32b8 编写于 作者: G Gao feng 提交者: Michal Privoznik

LXC: create monitor socket under selinux context of domain

the unix socket /var/run/libvirt/lxc/domain.sock is not created
under the selinux context which configured by <seclabel>.

If we try to connect the domain.sock under the selinux context
of domain in virtLXCProcessConnectMonitor,selinux will deny
this connect operation.

type=AVC msg=audit(1387953696.067:662): avc:  denied  { connectto } for  pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

fix this problem by creating socket under selinux context of domain.
Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
上级 4a66ffad
...@@ -745,6 +745,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl) ...@@ -745,6 +745,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl)
ctrl))) ctrl)))
goto error; goto error;
if (virSecurityManagerSetSocketLabel(ctrl->securityManager, ctrl->def) < 0)
goto error;
if (!(svc = virNetServerServiceNewUNIX(sockpath, if (!(svc = virNetServerServiceNewUNIX(sockpath,
0700, 0700,
0, 0,
...@@ -757,6 +760,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl) ...@@ -757,6 +760,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl)
5))) 5)))
goto error; goto error;
if (virSecurityManagerClearSocketLabel(ctrl->securityManager, ctrl->def) < 0)
goto error;
if (virNetServerAddService(ctrl->server, svc, NULL) < 0) if (virNetServerAddService(ctrl->server, svc, NULL) < 0)
goto error; goto error;
virObjectUnref(svc); virObjectUnref(svc);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册