Re: [PATCH v2 0/2] dac: relabel spice rendernode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2017-08-27 at 12:20 -0400, Cole Robinson wrote:
> This fixes the last issue preventing qemu:///system spice GL from working
> out of the box: chown'ing the rendernode path so we have permissions
> to open it.
> 
> We skip this if mount namespaces are disabled, so the chown'ing won't
> interfere with other rendernode users on the host.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1460804
> 
> v2:
>     Add the MOUNT_NAMESPACE handling
>     Drop DAC restore of rendernode
> 
> Cole Robinson (2):
>   security: add MANAGER_MOUNT_NAMESPACE flag
>   security: dac: relabel spice rendernode
> 
>  src/qemu/qemu_driver.c          |  2 ++
>  src/security/security_dac.c     | 68 +++++++++++++++++++++++++++++++++++++++++
>  src/security/security_dac.h     |  3 ++
>  src/security/security_manager.c |  4 ++-
>  src/security/security_manager.h |  1 +
>  5 files changed, 77 insertions(+), 1 deletion(-)

Looks reasonable and works as expected on my Fedora 26
installation, so for the entire series:

  Reviewed-by: Andrea Bolognani <abologna@xxxxxxxxxx>

You should document this in the release notes, though :)

-- 
Andrea Bolognani / Red Hat / Virtualization

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux