On 08/30/2011 08:49 AM, Daniel Veillard wrote:
I'm still testing this, but based on how we label the incoming pipe in
qemuProcessStart, I think this will solve the problem.
diff --git i/src/qemu/qemu_migration.c w/src/qemu/qemu_migration.c
index a2dc97c..38b05a9 100644
--- i/src/qemu/qemu_migration.c
if (spec.dest.fd.qemu == -1 ||
- virSetCloseExec(spec.dest.fd.qemu)< 0 ||
- virSetCloseExec(spec.dest.fd.local)< 0) {
+ virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
+ spec.dest.fd.qemu)< 0) {
virReportSystemError(errno, "%s",
_("cannot create pipe for tunnelled migration"));
goto cleanup;
Okay, I managed to reproduce the problem and this fixes it,
ACK,
Thanks; pushed with this commit message:
commit e6b8bc812af254f2ec6321b3cb7e9210b519deb0
Author: Eric Blake <eblake@xxxxxxxxxx>
Date: Mon Aug 29 17:31:42 2011 -0600
qemu: properly label outgoing pipe for tunneled migration
Commit 3261761 made it possible to use pipes instead of sockets
for outgoing tunneled migration; however, it caused a regression
because the pipe was never given a SELinux label.
* src/qemu/qemu_migration.c (doTunnelMigrate): Label outgoing pipe.
--
Eric Blake eblake@xxxxxxxxxx +1-801-349-2682
Libvirt virtualization library http://libvirt.org
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list