[libvirt] Re: [PATCH] Add huge page support to libvirt, v2..
Daniel P. Berrange
berrange at redhat.com
Wed Aug 5 14:50:56 UTC 2009
On Tue, Jul 28, 2009 at 08:04:31AM -0400, Stephen Smalley wrote:
> On Mon, 2009-07-27 at 22:55 +0100, Daniel P. Berrange wrote:
> >
> > In light of what Chris said about extended attribute support
> > for SELinux I think we, sadly, have no choice by to mount
> > a new instance of hugetlbfs per VM, labelled with the context
> > of that VM. The problem is that this doesn't really fit into
> > the internal architecture we have in the slightest. The
> > SELinux support we have is focused around re-labelling
> > existing resources.
> >
> > This hugetlbfs support implies that the SELinux driver is
> > altering our command line arg generator, which is not an
> > easy thing for us to support, given the code flow here.
> > We might have to resort to sick gross hacks.... unless the
> > kernel guys think its easy to add extended attribute support
> > to hugetlbfs in no time at all.
>
> There is a vfs fallback for setxattr of the security.* namespace to the
> security module, which would work for hugetlbfs if not for the fact that
> policy defines it as a genfscon-labeled filesystem. We only started
> prohibiting setxattr on genfscon-labeled filesystems in 2.6.30; prior to
> that we only did that for mountpoint-labeled filesystems. I can
> actually chcon a file in a hugetlbfs mount on 2.6.29.
Ahh, I can get that to work too on 2.6.29, I had previously
been testing 2.6.30 :-)
> To convert hugetlbfs to fully support labeling we'd need
> hugetlbfs_mknod() to call security_inode_init_security() to set up new
> inode security labels, just like shmem_mknod() does for tmpfs. And then
> we'd need to switch over the policy from genfscon to fs_use_trans.
This sounds like a preferrable plan to me - avoids having to have 100s,
if not 1000s, of isntances of hugetlbfs mounted on large machines, then
John's latest patch for libvirt would pretty much be sufficient.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list