search for: security_selinux

...t;os.initrd && > - virSecurityDACRestoreFileLabel(priv, def->os.initrd) < 0) > - rc = -1; > - > if (def->os.dtb && > virSecurityDACRestoreFileLabel(priv, def->os.dtb) < 0) > rc = -1; > diff --git i/src/security/security_selinux.c w/src/security/security_selinux.c > index 721c451..475cdbc 100644 > --- i/src/security/security_selinux.c > +++ w/src/security/security_selinux.c > @@ -2034,14 +2034,6 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr, > virSecuritySELinuxRestoreFileLabel(mgr,...

On 01/14/2016 05:12 AM, Daniel P. Berrange wrote: > On Thu, Jan 14, 2016 at 10:51:47AM +0100, Jiri Denemark wrote: >> On Wed, Jan 13, 2016 at 16:25:14 +0100, Martin Kletzander wrote: >>> On Wed, Jan 13, 2016 at 10:18:42AM +0000, Richard W.M. Jones wrote: >>>> As people may know, we frequently encounter errors caused by libvirt >>>> when running the

...r thought was that if we know how libvirt is relabeling then we could also do it so that the externally created tap's label will match the virt-launcher's. Is this were libvirt does the relabeling https://github.com/libvirt/libvirt/blob/e71e13488dc1aa65456e54a4b41bc925821b4263/src/security/security_selinux.c#L1256 ? btw the error we get is (from audit) type=AVC msg=audit(1586956552.265:513): avc: denied { relabelfrom } for pid=27423 comm="libvirtd" scontext=system_u:system_r:container_t:s0:c143,c582 tcontext=system_u:system_r:spc_t:s0 tclass=tun_socket permissive=0 > Regards, > Da...

On Thu, Jan 14, 2016 at 10:12:30AM +0000, Daniel P. Berrange wrote: > The difference comes in the restore step - where we blow away the > readonly label and put it back to the original. For disks we never > restore readonly/shared labels, but for kernels we do. If we just > kill the restore step for kernels too, we should be fine AFAICT. Works for me - I can try a patch, or if you can

On Tue, Jul 14, 2020 at 3:33 PM Daniel P. Berrangé <berrange@redhat.com> wrote: > On Tue, Jul 14, 2020 at 03:21:17PM +0300, Ram Lavi wrote: > > Hello all, > > > > tl;dr, can you point me to the point in the libvirt repo where it's > trying > > to change a tap-device's SELinux label? > > > > I am trying to create a tap device with libvirt on