This fixes the last issue preventing qemu:///system spice GL from working out of the box: chown'ing the rendernode path so we have permissions to open it. We skip this if mount namespaces are disabled, so the chown'ing won't interfere with other rendernode users on the host. https://bugzilla.redhat.com/show_bug.cgi?id=1460804 v2: Add the MOUNT_NAMESPACE handling Drop DAC restore of rendernode Cole Robinson (2): security: add MANAGER_MOUNT_NAMESPACE flag security: dac: relabel spice rendernode src/qemu/qemu_driver.c | 2 ++ src/security/security_dac.c | 68 +++++++++++++++++++++++++++++++++++++++++ src/security/security_dac.h | 3 ++ src/security/security_manager.c | 4 ++- src/security/security_manager.h | 1 + 5 files changed, 77 insertions(+), 1 deletion(-) -- 2.13.5 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
