On Fri, Jan 19, 2024 at 01:11:19PM +0100, Peter Krempa wrote: > On Fri, Jan 19, 2024 at 12:01:55 +0000, Richard W.M. Jones wrote: > > (2) I'm fairly sure you'll find you need to use --selinux-label at > > some point. This does some SELinux/sVirt voodoo on the socket. We > > found that this was necessary: > > > > nbdkit -U /tmp/sock --selinux-label=system_u:object_r:svirt_socket_t:s0 ... > > chcon system_u:object_r:svirt_image_t:s0 /tmp/sock > > > > to allow qemu clients to connect to nbdkit when SELinux is enabled, > > but only some of the time (like, it works fine without this on either > > Fedora or RHEL, but not the other one, I forget which way round now). > > IIRC this is handled by libvirt's security labelling code anyways. I think that's the labelling of the socket, but there's also the labelling of the process (nbdkit) side of the socket? They are two separate things, IIRC. Anyway just noting that we had trouble with this in the past and the above ^^^ was found to be the solution. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
