LXC: create monitor socket under selinux context of domain

the unix socket /var/run/libvirt/lxc/domain.sock is not created
under the selinux context which configured by <seclabel>.

If we try to connect the domain.sock under the selinux context
of domain in virtLXCProcessConnectMonitor,selinux will deny
this connect operation.

type=AVC msg=audit(1387953696.067:662): avc:  denied  { connectto } for  pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

fix this problem by creating socket under selinux context of domain.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>

diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index a2ae59904c80dfb1821dd6cbff890c31a1f4b06e..5ca960f13e53501315b28f9086eaa389475b8feb 100644 (file)
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -745,6 +745,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl)
                                          ctrl)))
         goto error;
 
+    if (virSecurityManagerSetSocketLabel(ctrl->securityManager, ctrl->def) < 0)
+        goto error;
+
     if (!(svc = virNetServerServiceNewUNIX(sockpath,
                                            0700,
                                            0,
@@ -757,6 +760,9 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl)
                                            5)))
         goto error;
 
+    if (virSecurityManagerClearSocketLabel(ctrl->securityManager, ctrl->def) < 0)
+        goto error;
+
     if (virNetServerAddService(ctrl->server, svc, NULL) < 0)
         goto error;
     virObjectUnref(svc);