Bug 1021892 - Wrong parse security label
Wrong parse security label
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt-sandbox (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Daniel Berrange
Virtualization Bugs
Depends On:
  Show dependency treegraph
Reported: 2013-10-22 05:34 EDT by Luwen Su
Modified: 2013-11-13 08:56 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-11-13 08:56:10 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Luwen Su 2013-10-22 05:34:07 EDT
Description of problem:
When create a lxc that use label like system_r:svirt_lxc_net_t
or the defaults via virt-sandbox , 
the label will be parsed to  svirt_sandbox_file_t

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
virt-sandbox-service -c lxc:/// create -C -u httpd.service -s static,label=system_u:system_r:svirt_lxc_net_t:s0:c1,c2 -N dhcp,source=default apache1

#virsh -c lxc:/// list --all
 Id    Name                           State
 -     apache11                       shut off

# virsh -c lxc:/// start apache1
Domain apache11 started

[root@localhost ~]# ll -Z /var/lib/libvirt/filesystems/apache1/
drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 etc
drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 home
dr-xr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 root
drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 usr
drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 var

Actual results:

Expected results:
shoulde be svirt_lxc_net_t

Additional info:
There is already have a patch which fixed this on upstream , file for record
Comment 1 Alex Jia 2013-10-22 05:41:49 EDT
(In reply to time.su from comment #0)

> Expected results:
> shoulde be svirt_lxc_net_t

It should be svirt_lxc_file_t, this has been fixed by upstream commit 507bbb3.

commit 507bbb38afda8ced8baa81b51fbb746ff73ce2fd
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Tue Oct 1 14:38:21 2013 +0100

    Revert "virt-sandbox patch to launch containers with proper label"
    This reverts commit e55ca13a14a47eab274393e15f6a60cce8efedc8
    which was mistakenly pushed.
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Comment 3 Daniel Berrange 2013-11-13 08:56:10 EST
The SELinux policy has made 'svirt_lxc_net_t' be an alias for 'svirt_sandbox_file_t'. So even though virt-sandbox-service is still using the former, it will appear as the latter when you use 'ls' to look at it.

Note You need to log in before you can comment on or make changes to this bug.