On Wed, Feb 22, 2023 at 17:02:48 +0100, Stefano Brivio wrote: > On Wed, 22 Feb 2023 15:23:04 +0100 > Jiri Denemark <jdenemar@xxxxxxxxxx> wrote: > > > I have just tagged v9.1.0-rc1 in the repository and pushed signed > > tarballs and source RPMs to https://libvirt.org/sources/ > > > > Please give the release candidate some testing and in case you find a > > serious issue which should have a fix in the upcoming release, feel > > free to reply to this thread to make sure the issue is more visible. > > The "passt" network back-end is entirely non-functional on distributions > shipping with SELinux: the binary helper can't be executed. The > 'virsh start' command reports: > > error: internal error: Could not start 'passt': libvirt: error : cannot execute binary /usr/bin/passt: Permission denied > > and the guest doesn't start. This is on Fedora 37, but it should be > universally reproducible. > > I provided more details on the thread at: > https://listman.redhat.com/archives/libvir-list/2023-February/238096.html > > This is the relevant snippet from my domain XML file: > > <interface type='user'> > <mac address='52:54:00:36:21:6f'/> > <model type='virtio'/> > <backend type='passt'/> > <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> > </interface> Yes, this is quite unfortunate, but there are even distributions that do not ship SELinux. And this is not a regression since 9.0.0, is it? As we're in freeze for 9.1.0 release so reasonable bug fixes considered safe (as in the chance for them to break more than they are fixing is considered low) are welcome. But if, e.g., a patch (series) even though being a bug fix contains a nontrivial refactor, it should really wait until after the release. Unless it's fixing a critical bug. That said, if this can reasonably be fixed without risking other issues before the release, we can do so. But otherwise since this is a new functionality and SELinux is not present in all distributions, there's no reason to push something big and risky at the last moment or delay the release because of this issue. We don't do this for AppArmor either. Jirka
