On Sun, 2017-08-27 at 12:20 -0400, Cole Robinson wrote: > This fixes the last issue preventing qemu:///system spice GL from working > out of the box: chown'ing the rendernode path so we have permissions > to open it. > > We skip this if mount namespaces are disabled, so the chown'ing won't > interfere with other rendernode users on the host. > > https://bugzilla.redhat.com/show_bug.cgi?id=1460804 > > v2: > Add the MOUNT_NAMESPACE handling > Drop DAC restore of rendernode > > Cole Robinson (2): > security: add MANAGER_MOUNT_NAMESPACE flag > security: dac: relabel spice rendernode > > src/qemu/qemu_driver.c | 2 ++ > src/security/security_dac.c | 68 +++++++++++++++++++++++++++++++++++++++++ > src/security/security_dac.h | 3 ++ > src/security/security_manager.c | 4 ++- > src/security/security_manager.h | 1 + > 5 files changed, 77 insertions(+), 1 deletion(-) Looks reasonable and works as expected on my Fedora 26 installation, so for the entire series: Reviewed-by: Andrea Bolognani <abologna@xxxxxxxxxx> You should document this in the release notes, though :) -- Andrea Bolognani / Red Hat / Virtualization -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list