[libvirt] [PATCHv5 00/13] outgoing fd: migration and virFileOpenAs
Eric Blake
eblake at redhat.com
Mon Mar 28 16:59:29 UTC 2011
On 03/28/2011 07:01 AM, Daniel Veillard wrote:
> On Sat, Mar 26, 2011 at 06:52:29AM -0600, Eric Blake wrote:
>> This addresses the comments raised during v4:
>> https://www.redhat.com/archives/libvir-list/2011-March/msg00421.html
>> More comments in individual patches.
>>
>> It could still use a bit more testing with root-squash NFS, and I'm
>> also hitting a problem where if I run daemon/libvirtd myself, I
>> get a SELinux error:
>>
>> error: unable to set security context 'system_u:object_r:svirt_image_t:s0:c80,c237' on fd 23: Permission denied
>>
>> but if I run the system service libvirtd or SELinux permissive, things
>> work. Somehow, the attempt to set the fd SELinux label on a pipe is
>> not working when libvirt is started as an unconfined process (that is,
>> the fd has label
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023) but when
>> started as a daemon, SELinux is happy to allow the transition. I
>> suspect that this is a bug in SELinux, since my understanding is that
>> it should always be possible to go from unconfined to something more
>> restrictive, but we already proved that SELinux fd labelling is
>> relatively unused and untested back when we first added it in commit
>> 34a19dda.
>>
>> If possible, I'd like to get this in before the 0.9.0 freeze, and we
>> can fix any fallout from testing during the freeze week.
>
> Okay, go ahead, 5 iterations is a lot already, and we will clean
> things up as they go later. Reviewing giant patch series ain't fun
> for anybody (wild guess on my part :-) , and reviewing the fixes
> is preferable now,
>
> ACK
Thanks. Series pushed, and I'm now trying to track down why I get that
SELinux failure when run from an unconfined shell but not when run as a
system service.
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 619 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110328/d8947b16/attachment-0001.sig>
More information about the libvir-list
mailing list