On Tue, Feb 26, 2013 at 05:23:18PM -0700, Eric Blake wrote: > On 02/26/2013 09:08 AM, Michal Privoznik wrote: > > Currently, if we label a file to match qemu process DAC label, we > > do not store the original owner anywhere. So when relabeling > > back, the only option we have is to relabel to root:root > > which is obviously wrong. > > > > However, bare remembering is not enough. We need to keep track of > > how many times we labeled a file so only the last restore > > chown()-s file back to the original owner. > > Definitely important for a read-only file shared by more than one domain. > > > > > In order to not pollute domain XML, this info is kept in driver's > > private data in a hash table with path being key and pair > > <oldLabel, refcount> being value. > > Makes sense. > > Have you looked at what it would take to use ACLs to grant access to > qemu without having to do a full-blown chown? That would also need to > use the hash table to undo the ACL at the end of the day, and we would > need to fall back to chown() on file systems where ACL doesn't work, but > it certainly sounds like that would be sharing some of the work in this > patch. Yep, independantly this patch we ought to make use of ACLs. It would remove a whole class of problems users experiance and make udev happier since it hates things chown'ing device nodes behind its back and has a tendancy to change them back at any moment. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list