LXC: create monitor socket under selinux context of domain

the unix socket /var/run/libvirt/lxc/domain.sock is not created under the selinux context which configured by <seclabel>. If we try to connect the domain.sock under the selinux context of domain in virtLXCProcessConnectMonitor,selinux will deny this connect operation. type=AVC msg=audit(1387953696.067:662): avc: denied { connectto } for pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket fix this problem by creating socket under selinux context of domain. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2014-01-08 11:03:01 +08:00 · 2014-01-08 11:03:01 +08:00 · afba32b897
parent 4a66ffade5
commit afba32b897
1 changed files with 6 additions and 0 deletions
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@ -745,6 +745,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl)
                                         ctrl)))
        goto error;

+    if (virSecurityManagerSetSocketLabel(ctrl->securityManager, ctrl->def) < 0)
+        goto error;
+
    if (!(svc = virNetServerServiceNewUNIX(sockpath,
                                           0700,
                                           0,
@ -757,6 +760,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl)
                                           5)))
        goto error;

+    if (virSecurityManagerClearSocketLabel(ctrl->securityManager, ctrl->def) < 0)
+        goto error;
+
    if (virNetServerAddService(ctrl->server, svc, NULL) < 0)
        goto error;
    virObjectUnref(svc);