[libvirt] [PATCHv5 00/13] outgoing fd: migration and virFileOpenAs
Daniel Veillard
veillard at redhat.com
Mon Mar 28 13:01:02 UTC 2011
On Sat, Mar 26, 2011 at 06:52:29AM -0600, Eric Blake wrote:
> This addresses the comments raised during v4:
> https://www.redhat.com/archives/libvir-list/2011-March/msg00421.html
> More comments in individual patches.
>
> It could still use a bit more testing with root-squash NFS, and I'm
> also hitting a problem where if I run daemon/libvirtd myself, I
> get a SELinux error:
>
> error: unable to set security context 'system_u:object_r:svirt_image_t:s0:c80,c237' on fd 23: Permission denied
>
> but if I run the system service libvirtd or SELinux permissive, things
> work. Somehow, the attempt to set the fd SELinux label on a pipe is
> not working when libvirt is started as an unconfined process (that is,
> the fd has label
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023) but when
> started as a daemon, SELinux is happy to allow the transition. I
> suspect that this is a bug in SELinux, since my understanding is that
> it should always be possible to go from unconfined to something more
> restrictive, but we already proved that SELinux fd labelling is
> relatively unused and untested back when we first added it in commit
> 34a19dda.
>
> If possible, I'd like to get this in before the 0.9.0 freeze, and we
> can fix any fallout from testing during the freeze week.
Okay, go ahead, 5 iterations is a lot already, and we will clean
things up as they go later. Reviewing giant patch series ain't fun
for anybody (wild guess on my part :-) , and reviewing the fixes
is preferable now,
ACK
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list