There were some places in the code, where files were being opened with uid:gid of the daemon instead of the qemu process related to the file. First patch exposes the parseIds() function in order for it to be used somewhere else in the code than in the DAC security driver. The next patch fixes how the files are opened and the last one fixes occurences of open() that should use different uid:gid for opening files. There maybe should be a check for whether the file being opened is an image and whether the label used to open the file should be imagelabel or not. But, the QEMU process opening the file is running as the label (not imagelabel) and accessing the files as such. Martin Kletzander (3): Expose ownership ID parsing Make qemuOpenFile aware of per-VM DAC seclabel. Use qemuOpenFile in qemu_driver.c src/libvirt_private.syms | 1 + src/qemu/qemu_driver.c | 87 +++++++++++++++++++++++++++++++-------------- src/security/security_dac.c | 51 ++------------------------ src/util/virutil.c | 56 +++++++++++++++++++++++++++++ src/util/virutil.h | 2 ++ 5 files changed, 122 insertions(+), 75 deletions(-) -- 1.8.2.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list