On Wed, Mar 09, 2011 at 07:18:32PM -0700, Eric Blake wrote: > SELinux labeling and cgroup ACLs aren't required if we hand a > pre-opened fd to qemu. All the more reason to love fd: migration. I know that holds true for cgroups which checks on open() only, but are you absolutely sure about for SELinux? SELinux checks FDs on every single syscall. I'm really fuzzy about what happens to an FD's associated security context when you pass it over an UNIX socket using SCM_RIGHTS. I think it might 'just work' as we already do this with TAP devices and don't label them, but it could be we have a generic policy rule related to TAP devices. If it passed testing with SELinux in enforcing mode, then ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list