Since there is a shmobj leak when let qemu create shmobj by themselves, also the label of shmobj/shmem-server socket is not right. Guest cannot direct use the shmem-server if users enabled selinux. So it will be better to manage it in libvirt. The way i chosed is region the shmem deivce in a list, and save it status to a local file to avoid losing it after restart libvirtd, and count the guest which use it, and let the callers know if there is no guest is using it (then we can relabel/cleanup some resource). Notice: you still cannot use the ivshmem-server if the process label is not correct, just set the socket label is not enought, selinux still will forbid qemu use it, because the shmem-server's process is not correct, you will find the AVC like this (i set up the ivshmem server via shell): type=AVC msg=audit(1437642157.227:73784): avc: denied { connectto } for \ pid=6137 comm="qemu-kvm" path="/tmp/ivshmem_socket" \ scontext=system_u:system_r:svirt_t:s0:c703,c707 \ tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket But the problem is we cannot change the running shm-server process label, We need wait ivshmem-server to be a part of qemu progrem, then setup the ivshmem-server by libvirt. we cannot do nothing for the ivshmem-server right now. Luyao Huang (4): conf: introduce seclabels in shmem device element security: add security part for shmem device util: introduce new helpers to manage shmem device qemu: call the helpers in virshm.c to manage shmem device configure.ac | 10 + docs/formatdomain.html.in | 7 + docs/schemas/domaincommon.rng | 3 + po/POTFILES.in | 3 +- src/Makefile.am | 5 +- src/conf/domain_conf.c | 55 +++- src/conf/domain_conf.h | 5 + src/libvirt_private.syms | 18 ++ src/qemu/qemu_conf.h | 3 + src/qemu/qemu_driver.c | 4 + src/qemu/qemu_process.c | 158 ++++++++++ src/security/security_dac.c | 67 +++++ src/security/security_driver.h | 11 + src/security/security_manager.c | 38 +++ src/security/security_manager.h | 8 + src/security/security_selinux.c | 70 +++++ src/security/security_stack.c | 41 +++ src/util/virshm.c | 623 ++++++++++++++++++++++++++++++++++++++++ src/util/virshm.h | 104 +++++++ 19 files changed, 1220 insertions(+), 13 deletions(-) create mode 100644 src/util/virshm.c create mode 100644 src/util/virshm.h -- 1.8.3.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list