Re: [PATCHv5 00/13] outgoing fd: migration and virFileOpenAs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/28/2011 07:01 AM, Daniel Veillard wrote:
> On Sat, Mar 26, 2011 at 06:52:29AM -0600, Eric Blake wrote:
>> This addresses the comments raised during v4:
>> https://www.redhat.com/archives/libvir-list/2011-March/msg00421.html
>> More comments in individual patches.
>>
>> It could still use a bit more testing with root-squash NFS, and I'm
>> also hitting a problem where if I run daemon/libvirtd myself, I
>> get a SELinux error:
>>
>> error: unable to set security context 'system_u:object_r:svirt_image_t:s0:c80,c237' on fd 23: Permission denied
>>
>> but if I run the system service libvirtd or SELinux permissive, things
>> work.  Somehow, the attempt to set the fd SELinux label on a pipe is
>> not working when libvirt is started as an unconfined process (that is,
>> the fd has label
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023) but when
>> started as a daemon, SELinux is happy to allow the transition.  I
>> suspect that this is a bug in SELinux, since my understanding is that
>> it should always be possible to go from unconfined to something more
>> restrictive, but we already proved that SELinux fd labelling is
>> relatively unused and untested back when we first added it in commit
>> 34a19dda.
>>
>> If possible, I'd like to get this in before the 0.9.0 freeze, and we
>> can fix any fallout from testing during the freeze week.
> 
>   Okay, go ahead, 5 iterations is a lot already, and we will clean
> things up as they go later. Reviewing giant patch series ain't fun
> for anybody (wild guess on my part :-) , and reviewing the fixes
> is preferable now,
> 
>  ACK

Thanks.  Series pushed, and I'm now trying to track down why I get that
SELinux failure when run from an unconfined shell but not when run as a
system service.

-- 
Eric Blake   eblake@xxxxxxxxxx    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]