Re: [libvirt PATCH] docs: add page describing the libvirt daemons

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Mar 05, 2020 at 04:10:48PM +0100, Andrea Bolognani wrote:
> On Thu, 2020-03-05 at 14:57 +0000, Daniel P. Berrangé wrote:
> > On Thu, Mar 05, 2020 at 03:49:46PM +0100, Andrea Bolognani wrote:
> > > I've enabled split-daemon mode on my laptop and it seems to work
> > > quite seamlessly; however, I had to put SELinux into Permissive mode
> > > because I was getting
> > > 
> > >   audit[470365]: AVC avc:  denied  { search } for
> > >     pid=470365 comm="virtlogd" name="470092" dev="proc" ino=1314622
> > >     scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
> > >     tcontext=system_u:system_r:unconfined_service_t:s0
> > >     tclass=dir permissive=0
> > 
> > There is an RFE open with SELinux maintainers to apply labelling to
> > the new daemons.
> > 
> > They all currently run  unconfined_service_t.
> > 
> > We requested to make them use  virtd_t to have parity with libvirtd
> > policy.
> 
> That's great news!

BTW, this highlights the key problem with having SELinux policy for libvirt
shipped & maintained by a completely different project.  I have been in
discussion with the Red Hat SELinux maintainers about their desire to switch
to a distributed model where each application owns its own SELinx policy.

So expect that at some point this year, libvirt will be able to take
ownership of its SELinux policy.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|





[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux