<html><body> <tt>libvir-list-bounces@redhat.com wrote on 08/06/2012 11:18:31 AM: > From:</tt> <tt>> > Laine Stump <laine@laine.org></tt> <tt>> > To:</tt> <tt>> > libvir-list@redhat.com</tt> <tt>> > Date:</tt> <tt>> > 08/06/2012 11:27 AM</tt> <tt>> > Subject:</tt> <tt>> > Re: [libvirt] [Patch v3 0/3] Add QEMU network helper support</tt> <tt>> > Sent by:</tt> <tt>> > libvir-list-bounces@redhat.com</tt> <tt>> > On 08/06/2012 10:56 AM, Michal Privoznik wrote: > > On 03.08.2012 22:33, rmarwah@linux.vnet.ibm.com wrote: > >> From: Richa Marwaha <rmarwah@linux.vnet.ibm.com> > >> > >> QEMU has a new feature which allows QEMU to execute under an > unprivileged user ID and still be able to > >> add a tap device to a Linux network bridge. > >> [...] > > So I've went ahead, reviewed, ACKed and pushed whole series. > > I suggest is worth adding some kind of documentation (either a wiki > > page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) - > > how to set up bridge-helper. > > Yes, it's a bit odd to figure out the right place to document it, since > there is no setup done within libvirt - libvirt just silently takes > advantage of it if it's there. > > By the way, I had earlier expressed concern about the eventuality that > we support bridged networking for non-privileged users directly within > libvirt (via a separate libvirt-networkd and policykit), and the case > where someone had a working config using the qemu helper - I was worried > that this person's setup might stop working as a result of the upgrade > which changed to the newer method of setting up the network (e.g. if > something needed to be configured to allow that user access via > policykit, and hadn't been done yet). Since then I've realized that we > can handle that problem by continuing to fall back to the qemu helper > when this (for now mythical) new method fails. That removes my only > concern about this series. > > Another issue though - a patch for AppArmor has been included, but I'm > unclear of whether this needs something done for selinux (either in > libvirt itself, or in selinux-policy). Does somebody have the updated > qemu installed on a system with selinux enabled, and could you give it a > try?</tt> <tt>selinux already has the policies to allow qemu helper , here is the link to the patch adding the policies</tt> <tt><a href="http://git.fedorahosted.org/cgit/selinux-policy.git/diff/?id=56e0a4b775f29ec13e6f887490ec9fbc6f9897f4">http://git.fedorahosted.org/cgit/selinux-policy.git/diff/?id=56e0a4b775f29ec13e6f887490ec9fbc6f9897f4</a></tt> <tt>It will be upstream in Fedora.</tt> <tt>Regards</tt> <tt>Richa </tt> <tt> > > -- > libvir-list mailing list > libvir-list@redhat.com > <a href="https://www.redhat.com/mailman/listinfo/libvir-list">https://www.redhat.com/mailman/listinfo/libvir-list</a> > </tt></body></html>