Hide Forgot
Description of problem: When create a lxc that use label like system_r:svirt_lxc_net_t or the defaults via virt-sandbox , the label will be parsed to svirt_sandbox_file_t Version-Release number of selected component (if applicable): libvirt-1.1.1-9.el7.x86_64 libvirt-sandbox-0.5.0-5.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. virt-sandbox-service -c lxc:/// create -C -u httpd.service -s static,label=system_u:system_r:svirt_lxc_net_t:s0:c1,c2 -N dhcp,source=default apache1 2. #virsh -c lxc:/// list --all Id Name State ---------------------------------------------------- - apache11 shut off # virsh -c lxc:/// start apache1 Domain apache11 started [root@localhost ~]# ll -Z /var/lib/libvirt/filesystems/apache1/ drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 etc drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 home dr-xr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 root drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 usr drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 var Actual results: svirt_sandbox_file_t Expected results: shoulde be svirt_lxc_net_t Additional info: There is already have a patch which fixed this on upstream , file for record
(In reply to time.su from comment #0) > Expected results: > shoulde be svirt_lxc_net_t It should be svirt_lxc_file_t, this has been fixed by upstream commit 507bbb3. commit 507bbb38afda8ced8baa81b51fbb746ff73ce2fd Author: Daniel P. Berrange <berrange> Date: Tue Oct 1 14:38:21 2013 +0100 Revert "virt-sandbox patch to launch containers with proper label" This reverts commit e55ca13a14a47eab274393e15f6a60cce8efedc8 which was mistakenly pushed. Signed-off-by: Daniel P. Berrange <berrange>
The SELinux policy has made 'svirt_lxc_net_t' be an alias for 'svirt_sandbox_file_t'. So even though virt-sandbox-service is still using the former, it will appear as the latter when you use 'ls' to look at it.