On Tue, Feb 26, 2013 at 05:08:40PM +0100, Michal Privoznik wrote: > Currently, if we label a file to match qemu process DAC label, we > do not store the original owner anywhere. So when relabeling > back, the only option we have is to relabel to root:root > which is obviously wrong. > > However, bare remembering is not enough. We need to keep track of > how many times we labeled a file so only the last restore > chown()-s file back to the original owner. Your patches don't deal with this scenario correctly I'm afraid. A shared file may be on NFS, so simply ref-counting inside libvirtd doesn't cut it. We need a ref count visible to all libvirtd instances that can see the file. My thought is that we ought to make use of an extended attribute for recording the ref count and original ownership. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list