Bug 1021892 - Wrong parse security label
Summary: Wrong parse security label
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt-sandbox
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Berrangé
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-22 09:34 UTC by Luwen Su
Modified: 2019-02-14 02:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-13 13:56:10 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Luwen Su 2013-10-22 09:34:07 UTC
Description of problem:
When create a lxc that use label like system_r:svirt_lxc_net_t
or the defaults via virt-sandbox , 
the label will be parsed to  svirt_sandbox_file_t

Version-Release number of selected component (if applicable):
libvirt-1.1.1-9.el7.x86_64
libvirt-sandbox-0.5.0-5.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.
virt-sandbox-service -c lxc:/// create -C -u httpd.service -s static,label=system_u:system_r:svirt_lxc_net_t:s0:c1,c2 -N dhcp,source=default apache1


2.
#virsh -c lxc:/// list --all
 Id    Name                           State
----------------------------------------------------
 -     apache11                       shut off

# virsh -c lxc:/// start apache1
Domain apache11 started

[root@localhost ~]# ll -Z /var/lib/libvirt/filesystems/apache1/
drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 etc
drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 home
dr-xr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 root
drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 usr
drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 var




Actual results:
svirt_sandbox_file_t

Expected results:
shoulde be svirt_lxc_net_t

Additional info:
There is already have a patch which fixed this on upstream , file for record

Comment 1 Alex Jia 2013-10-22 09:41:49 UTC
(In reply to time.su from comment #0)

> Expected results:
> shoulde be svirt_lxc_net_t

It should be svirt_lxc_file_t, this has been fixed by upstream commit 507bbb3.


commit 507bbb38afda8ced8baa81b51fbb746ff73ce2fd
Author: Daniel P. Berrange <berrange>
Date:   Tue Oct 1 14:38:21 2013 +0100

    Revert "virt-sandbox patch to launch containers with proper label"
    
    This reverts commit e55ca13a14a47eab274393e15f6a60cce8efedc8
    which was mistakenly pushed.
    
    Signed-off-by: Daniel P. Berrange <berrange>

Comment 3 Daniel Berrangé 2013-11-13 13:56:10 UTC
The SELinux policy has made 'svirt_lxc_net_t' be an alias for 'svirt_sandbox_file_t'. So even though virt-sandbox-service is still using the former, it will appear as the latter when you use 'ls' to look at it.


Note You need to log in before you can comment on or make changes to this bug.