Previously, nvram file was created with user/group owner as 'root', rather than specifications defined in libvirtd.conf. The solution is to call qemuDomainOpenFile(), which creates file with defined permissions and qemuSecurityDomainSetPathLabel() to set security label for created nvram file. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1783255 Signed-off-by: Kristina Hanicova <khanicov@xxxxxxxxxx> --- src/qemu/qemu_process.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 35213f81ec..2aa4574d94 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -4499,9 +4499,10 @@ qemuProcessUpdateCPU(virQEMUDriver *driver, static int -qemuPrepareNVRAM(virQEMUDriverConfig *cfg, +qemuPrepareNVRAM(virQEMUDriver *driver, virDomainObj *vm) { + g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); int ret = -1; int srcFD = -1; int dstFD = -1; @@ -4538,17 +4539,17 @@ qemuPrepareNVRAM(virQEMUDriverConfig *cfg, master_nvram_path); goto cleanup; } - if ((dstFD = virFileOpenAs(loader->nvram, - O_WRONLY | O_CREAT | O_EXCL, - S_IRUSR | S_IWUSR, - cfg->user, cfg->group, 0)) < 0) { - virReportSystemError(-dstFD, - _("Failed to create file '%s'"), - loader->nvram); + + if ((dstFD = qemuDomainOpenFile(driver, vm, loader->nvram, + O_WRONLY | O_CREAT | O_EXCL, + NULL)) < 0) goto cleanup; - } + created = true; + if (qemuSecurityDomainSetPathLabel(driver, vm, loader->nvram, false) < 0) + goto cleanup; + do { char buf[1024]; @@ -6723,7 +6724,7 @@ qemuProcessPrepareHost(virQEMUDriver *driver, qemuDomainObjPrivate *priv = vm->privateData; g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); - if (qemuPrepareNVRAM(cfg, vm) < 0) + if (qemuPrepareNVRAM(driver, vm) < 0) return -1; if (vm->def->vsock) { -- 2.31.1
