[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] This patch adds the label to lxc-enter-namespace



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/25/2013 02:39 PM, Daniel J Walsh wrote:
> (2nd pass)
> 
> 
> lxc-enter-namespace  allows a process from outside a container to start a 
> process inside a container.  One problem with the current code is the
> process running within the container would run with the label of the
> process that created it.
> 
> For example if the admin process is running as unconfined_t and executes
> the following command
> 
> 
> # virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ LABEL
> PID TTY          TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1
> pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3
> pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ?
> 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ?
> 00:00:00 dhclient staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ?
> 00:00:00 ps
> 
> Note the ps command is running as unconfined_t,  After this patch,
> 
> 
> virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ LABEL
> PID TTY          TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1
> pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3
> pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ?
> 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ?
> 00:00:00 dhclient system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ?
> 00:00:00 ps
> 
> I also add a --nolabel command to virsh, which can go back to the original 
> behaviour.
> 
> virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ LABEL
> PID TTY          TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1
> pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3
> pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ?
> 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ?
> 00:00:00 dhclient staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 37 ?
> 00:00:00 ps
> 
> 
> Everything seems to be working perfectly now.
> 
> 


Any comment on this?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlEL6iwACgkQrlYvE4MpobN4lACfZF6cBMngf7e9jJGuNkH9HfXC
tiAAoKNC7IuHy5yNrnwKmtS104FeryVl
=N0pN
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]