[libvirt] [PATCH] LXC: don't set socket create selinux context in virLXCProcessConnectMonitor

[Gao feng]

the unix socket /var/run/libvirt/lxc/domain.sock is not created
under the selinux context which configured by <seclabel>.

If we try to connect the domain.sock under the selinux context
of domain in virtLXCProcessConnectMonitor,selinux will deny
this connect operation.

type=AVC msg=audit(1387953696.067:662): avc:  denied  { connectto } for  pid=21206 comm="libvirtd" path="/usr/local/var/run/libvirt/lxc/systemd.sock" scontext=unconfined_u:system_r:svirt_lxc_net_t:s0:c770,c848 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

Since there is no harm to access doamin.sock outof domain's
context, this patch removes the setsockcreatecon in
virLXCProcessConnectMonitor.

Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
---
 src/lxc/lxc_process.c | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
index cc9c1a2..b336ade 100644
--- a/src/lxc/lxc_process.c
+++ b/src/lxc/lxc_process.c
@@ -640,9 +640,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver,
     virLXCMonitorPtr monitor = NULL;
     virLXCDriverConfigPtr cfg = virLXCDriverGetConfig(driver);
 
-    if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0)
-        goto cleanup;
-
     /* Hold an extra reference because we can't allow 'vm' to be
      * deleted while the monitor is active */
     virObjectRef(vm);
@@ -652,15 +649,6 @@ static virLXCMonitorPtr virLXCProcessConnectMonitor(virLXCDriverPtr driver,
     if (monitor == NULL)
         virObjectUnref(vm);
 
-    if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) {
-        if (monitor) {
-            virObjectUnref(monitor);
-            monitor = NULL;
-        }
-        goto cleanup;
-    }
-
-cleanup:
     virObjectUnref(cfg);
     return monitor;
 }
-- 
1.8.4.2