----- Original Message ----- > From: Martin Kletzander <mkletzan@xxxxxxxxxx> > To: Cristian Ciupitu <cristian.ciupitu@xxxxxxxxx> > Cc: Eric Blake <eblake@xxxxxxxxxx>; libvirt-users <libvirt-users@xxxxxxxxxx> > Sent: Tuesday, August 20, 2013 6:05 PM > Subject: Re: Stop the relabeling of CD images > > On 08/20/2013 04:19 AM, Cristian Ciupitu wrote: >> ----- Original Message ----- >>> From: Eric Blake <eblake@xxxxxxxxxx> >>> To: Cristian Ciupitu <cristian.ciupitu@xxxxxxxxx> >>> Cc: libvirt-users <libvirt-users@xxxxxxxxxx> >>> Sent: Monday, August 19, 2013 11:24 PM >>> Subject: Re: Stop the relabeling of CD images >> >>> So maybe this would do it: >>> >>> <source file=...> >>> <seclabel model='selinux' relabel='no'/> >>> <seclabel model='dac' relabel='no'/> >>> </source> >> >> I've just tried it and the SELinux label is not changed anymore, but >> the ownership is still changed to qemu:qemu. >> >>> I'm also not sure why you think to resort to chattr +i, but if using >>> that causes libvirt heartburn, maybe we have a bug to fix to be more >>> tolerant of failed label attempts due to chattr. >> >> I resorted to `chattr +i` because I got tired of libvirtd messing with >> my files even if it wasn't required. The official versions of libvirtd >> from Fedora 18 or 19 used to complain about not being able to change the >> files, but the current bleeding edge version hasn't complained (with the >> XML config from above). >> >> To sum it up, SELinux - solved, DAC - not (yet). >> > > I played with it earlier, but I'm not sure which settings we use when. > This is just a "possible workaround", even though it might look like > it's doing something else. Anyway, If I'm not mistaken, adding a > <shareable/> into the <disk> element should stop all relabeling. > Correct me if I'm wrong and post your findings, I'll try how relabel > works for DAC with upstream in the meantime. <shareable/> didn't work for me. This is what I currently have: # virsh dumpxml test ... <disk type='file' device='cdrom'> <driver name='qemu' type='raw'/> <source file='/mnt/extra/Software/Linux/Fedora/Fedora-Live-Desktop-x86_64-19/Fedora-Live-Desktop-x86_64-19-1.iso'> <seclabel model='selinux' relabel='no'/> </source> <target dev='hdc' bus='ide'/> <readonly/> <shareable/> <address type='drive' controller='0' bus='1' target='0' unit='0'/> </disk> ... And this is what happens: # ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso -r--r--r--. root root system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso # virsh start test Domain test started # ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso -r--r--r--. qemu qemu system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso Adding <seclabel model='dac' relabel='no'/> under <source> doesn't make a difference. Kind regards, Cristian Ciupitu _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
