On 03/28/2011 07:01 AM, Daniel Veillard wrote: > On Sat, Mar 26, 2011 at 06:52:29AM -0600, Eric Blake wrote: >> This addresses the comments raised during v4: >> https://www.redhat.com/archives/libvir-list/2011-March/msg00421.html >> More comments in individual patches. >> >> It could still use a bit more testing with root-squash NFS, and I'm >> also hitting a problem where if I run daemon/libvirtd myself, I >> get a SELinux error: >> >> error: unable to set security context 'system_u:object_r:svirt_image_t:s0:c80,c237' on fd 23: Permission denied >> >> but if I run the system service libvirtd or SELinux permissive, things >> work. Somehow, the attempt to set the fd SELinux label on a pipe is >> not working when libvirt is started as an unconfined process (that is, >> the fd has label >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023) but when >> started as a daemon, SELinux is happy to allow the transition. I >> suspect that this is a bug in SELinux, since my understanding is that >> it should always be possible to go from unconfined to something more >> restrictive, but we already proved that SELinux fd labelling is >> relatively unused and untested back when we first added it in commit >> 34a19dda. >> >> If possible, I'd like to get this in before the 0.9.0 freeze, and we >> can fix any fallout from testing during the freeze week. > > Okay, go ahead, 5 iterations is a lot already, and we will clean > things up as they go later. Reviewing giant patch series ain't fun > for anybody (wild guess on my part :-) , and reviewing the fixes > is preferable now, > > ACK Thanks. Series pushed, and I'm now trying to track down why I get that SELinux failure when run from an unconfined shell but not when run as a system service. -- Eric Blake eblake@xxxxxxxxxx +1-801-349-2682 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list