Hide Forgot
Description of problem: Can't access user home directory via virt-login-shell and will get a "Permission denied" error, a normal user should have permission to access its home directory. Version-Release number of selected component (if applicable): libvirt-client-1.1.1-3.el7.x86_64 How reproducible: always Steps to Reproduce: 1. creating a 'sandbox' user account. # useradd sandbox # passwd sandbox 2. editing /etc/libvirt/virt-login-shell.conf as follows: # tail -2 /etc/libvirt/virt-login-shell.conf allowed_users = ["sandbox"] shell = [ "/bin/ls", "-l", "/home/sandbox"] 3. start a 'sandbox' container # virt-sandbox -c lxc:/// /bin/sh 4. switch to 'sandbox' account and run 'virt-login-shell' # su sandbox $ virt-login-shell Actual results: $ virt-login-shell /bin/ls: cannot open directory /home/sandbox: Permission denied Expected results: the 'virt-login-shell' should allow user to access its home directory. Additional info: [sandbox@localhost ~]$ pwd /home/sandbox [sandbox@localhost ~]$ id uid=1004(sandbox) gid=1004(sandbox) groups=1004(sandbox) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [sandbox@localhost ~]$ touch hello [sandbox@localhost ~]$ ls hello
In order to make this work you would have to label /home/sandbox correctly with virt_lxc_file_t and the correct MCS Label. When you are in the sandbox you will be running something like svirt_lxc_net_t:s0:c2,c3 And you are only able to read/wite svirt_lxc_file_t:s0:c2,c3 Openshift sets this up automatically. They setup static labeling.
(In reply to Daniel Walsh from comment #2) > In order to make this work you would have to label /home/sandbox correctly > with virt_lxc_file_t and the correct MCS Label. > > When you are in the sandbox you will be running something like > > svirt_lxc_net_t:s0:c2,c3 And you are only able to read/wite > svirt_lxc_file_t:s0:c2,c3 > > Openshift sets this up automatically. > > They setup static labeling. Daniel, I think it should have a document to describe this at least in the future, in addition, I also check auditd.log with selinux 'Enforcing' mode and haven't found any AVC denied error, so it indeed is hard to debug this for me, is this a selinux's issue? thanks.
Daniel, whether the default selinux label "svirt_lxc_net_t" can be automatically assigned when we create a sandbox(libvirt-sandbox) account? I guess the openshit will do these by itself, if I'm not a openshit user then it means I must manually change my home directory selinux label by myself.
Yes when using libvirt-sandbox you need to setup labels yourself for any content you want to be able to write within the sandbox. When using virt-sandbox-service, it is doing this for you.
We have a version of virt-sandbox -s inherit which is in the upstream which will run the sandbox with the users context rather then svirt_lxc_net_t. When this comes out you could run containers as unconfined_t and then the login should work fine.
(In reply to Daniel Walsh from comment #6) > We have a version of virt-sandbox -s inherit which is in the upstream which > will run the sandbox with the users context rather then svirt_lxc_net_t. > When this comes out you could run containers as unconfined_t and then the > login should work fine. Thanks, I'm looking forword to test this new feature, if everything is okay, I will close the bug as WORKSFORME.