[libvirt] unable to set security context (NFSv4 problem?)

Harald Dunkel harald.dunkel at aixigo.de
Thu Apr 22 06:43:37 UTC 2010


On 04/21/10 20:24, Spencer Shimko wrote:
> Harald Dunkel wrote:
>>
>> Do you think it would be possible to introduce a configure
>> option '--with-dac=no'?
> 
> I think that would be a little misleading ;)  It sounds like part of the
> problem was that the error message wasn't clearly conveying the reason
> for the problem.  It wasn't an SELinux security context that was causing
> issues, it was DAC user/group.  I just submitted a patch to clarify the
> error message to reference user/group instead of "security context."
> 

The error message was just an indication that there is something
fishy. All the NFS clients in my net have different UIDs and GIDs
for the local system accounts, esp. for libvirt and kvm. Sorry to
say, but the problem is not solved yet.

Questions:

Why should libvirt have the privilege to change UID and GID of a
disk image file on an NFS server? Usually this file is -rw-------
for root. Doesn't the chown() to a UID != 0 weaken the security?


Regards

Harri




More information about the libvir-list mailing list