Re: [Patch v3 0/3] Add QEMU network helper support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



libvir-list-bounces@xxxxxxxxxx wrote on 08/06/2012 11:18:31 AM:

> From:

>
> Laine Stump <laine@xxxxxxxxx>

>
> To:

>
> libvir-list@xxxxxxxxxx

>
> Date:

>
> 08/06/2012 11:27 AM

>
> Subject:

>
> Re: [Patch v3 0/3] Add QEMU network helper support

>
> Sent by:

>
> libvir-list-bounces@xxxxxxxxxx

>
> On 08/06/2012 10:56 AM, Michal Privoznik wrote:
> > On 03.08.2012 22:33, rmarwah@xxxxxxxxxxxxxxxxxx wrote:
> >> From: Richa Marwaha <rmarwah@xxxxxxxxxxxxxxxxxx>
> >>
> >> QEMU has a new feature which allows QEMU to execute under an
> unprivileged user ID and still be able to
> >> add a tap device to a Linux network bridge.
> >> [...]
> > So I've went ahead, reviewed, ACKed and pushed whole series.
> > I suggest is worth adding some kind of documentation (either a wiki
> > page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) -
> > how to set up bridge-helper.
>
> Yes, it's a bit odd to figure out the right place to document it, since
> there is no setup done within libvirt - libvirt just silently takes
> advantage of it if it's there.
>
> By the way, I had earlier expressed concern about the eventuality that
> we support bridged networking for non-privileged users directly within
> libvirt (via a separate libvirt-networkd and policykit), and the case
> where someone had a working config using the qemu helper - I was worried
> that this person's setup might stop working as a result of the upgrade
> which changed to the newer method of setting up the network (e.g. if
> something needed to be configured to allow that user access via
> policykit, and hadn't been done yet). Since then I've realized that we
> can handle that problem by continuing to fall back to the qemu helper
> when this (for now mythical) new method fails. That removes my only
> concern about this series.
>
> Another issue though - a patch for AppArmor has been included, but I'm
> unclear of whether this needs something done for selinux (either in
> libvirt itself, or in selinux-policy). Does somebody have the updated
> qemu installed on a system with selinux enabled, and could you give it a
> try?


selinux already has the policies to allow qemu helper , here is the link to the patch adding the policies

http://git.fedorahosted.org/cgit/selinux-policy.git/diff/?id=56e0a4b775f29ec13e6f887490ec9fbc6f9897f4

It will be upstream in Fedora.

Regards
Richa

>
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
>

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]