On Mon, Aug 28, 2023 at 04:44:35PM -0500, Jonathon Jongsma wrote: > This is the seventh version of this patch series. See > https://bugzilla.redhat.com/show_bug.cgi?id=2016527 for more information. > > Note that testing this requires selinux policy changes which are not fully > done, but there is a new policy in development that has allowed me to run with > selinux in enforcing mode for the common cases. See > https://bugzilla.redhat.com/show_bug.cgi?id=2182505 for more information. The > following scenarios should work now with selinux enabled using the selinux > policy from that bug: > - http/https disks > - ssh disks with password authentication > - ssh disks with passwordless keyfile > > The one major thing that doesn't work and is difficult to get working with > selinux enabled is the ssh-agent. This is because there doesn't seem to be any > selinux policy for ssh-agent, so by default the ssh-agent socket is labeled > unconfined_t. We cannot allow access from the libvirt/qemu to unconfined_t > because that would open up access to just about anything on the host. So > additional work will likely be necessary for ssh-agent/libvirt interaction in > the future. Fortunately ssh-agent is something that never was really supported > with the old qemu block driver either, so I think we could potentially merge > this patchset either without the ssh-agent patches or with a note that > ssh-agent won't work with selinux enabled. > > Note also that gitlab CI will not work for this series without changes to the > ci definitions due to the addition of libnbd dependency. As for dependencies in CI, since commit 120a674f25aa6e9e1ff7c2e9527f890f48f0340e you can now add dependencies as part of the patch series as long as the dependency exists in lcitool (which in this case it does). If it doesn't, ideally it should be added directly to upstream lcitool, but there's also the option of using mapping overrides using ci/lcitool/mappings.yml. So, before this series gets merged a standalone commit tweaking ci/lcitool/projects/libvirt.yml should be added - it's a trivial change for which you can assume my R-b. Erik
