On Mon, Jul 23, 2012 at 10:45:21AM +0100, Daniel P. Berrange wrote:
> On Sat, Jul 21, 2012 at 09:43:45PM +0100, Richard W.M. Jones wrote:
> > On Sat, Jul 21, 2012 at 08:20:45PM +0100, Richard W.M. Jones wrote:
> > > Some questions:
> >
> > Another question ...
> >
> > > <channel type="unix">
> > > <source mode="connect" path="/home/rjones/d/libguestfs/libguestfsSSg3Kl/guestfsd.sock"/>
> > > <target type="virtio" name="org.libguestfs.channel.0"/>
> > > </channel>
> >
> > This clause doesn't work when libguestfs/qemu runs as root. As far as
> > I can tell there are a combination of three factors working against it:
> >
> > (1) libvirt (when run as root) runs qemu as qemu.qemu. Since this
> > user didn't have write access to the socket, it fails. I fixed this
> > by chowning the socket.
>
> What libvirt URI are you using ? If libguest is running as non-root,
> then I expect you'd want to use qemu:///session.
It's using NULL and expecting libvirt to choose the appropriate
connection URI, which does appear to work.
> Thus all files would be owned by the matching user ID, and I'd
> sugest $HOME/.libguestfs/qemu for the directory to store the sockets
> in.
>
> If libguestfs is running as root, then use qemu:///system and a socket
> under /var/lib/libguestfs/qemu/
This is fairly sucky. We already make a temporary directory (a
randomly named subdirectory of $TMPDIR) and that seems the appropriate
place for small temporary files like sockets, especially since the
temp cleaner will clean them up properly if we don't.
> You could either use the same directory that libvirt uses for the
> main QEMU monitor socket, or preferrably define standard directories
> for libguestfs and have them added to the SELinux policy
So just so I'm completely clear about what's happening:
(1) SELinux labels are chosen based on the parent directory.
(2) By having a standard named parent directory (even $HOME/.libguestfs)
SELinux will assign the right label to a socket in this directory,
even if libguestfs is not running as root.
(3) libguestfs should not be setting labels on anything itself.
(4) If a non-root user has never run libguestfs before, then merely
the act of libguestfs doing mkdir("$HOME/.libguestfs") [as non-root]
will ensure that any sockets in this directory are labelled correctly.
Is this right?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)
http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list