[libvirt] /var/lib/libvirt/qemu permissions are wrong

Marcelo Cerri mhcerri at linux.vnet.ibm.com
Fri Jan 10 10:11:32 UTC 2014

Thanks Richard,

I agree with you. Do you have any suggestion how this should be
implemented? My first impression is that the virSecurityManager*
internal API should be extended to support that.

The current code in qemu_process.c already uses
virSecurityManagerSetDaemonSocketLabel() and
virSecurityManagerClearSocketLabel() to set the correct SELinux context.
However they can't be used to add similar functionality to DAC driver.


On Thu, Jan 09, 2014 at 04:57:30PM +0000, Richard W.M. Jones wrote:
> On Thu, Jan 09, 2014 at 02:12:20PM -0200, Marcelo Cerri wrote:
> > Hi,
> > 
> > Any directions regarding which is the best approach to correct the bug
> > reported in https://bugzilla.redhat.com/show_bug.cgi?id=1045040 ?
> [This is a copy of the comment I added to that bug]
> libvirt currently creates the monitor sockets directly in
> /var/lib/libvirt/qemu/ eg:
> $ sudo ls -l /var/lib/libvirt/qemu/
> total 16
> srwxr-xr-x. 1 qemu qemu    0 Jan  6 16:00 builder-rhel6.monitor
> srwxr-xr-x. 1 qemu qemu    0 Dec 20 22:04 builder-rhel7.monitor
> [etc]
> The problem is this doesn't work if we told libvirt to run qemu as
> another UID, which is possible (albeit undocumented):
>   <seclabel model='dac' type='static'> <label>user:group</label> </seclabel>
> If you do that you'll find that qemu won't be able to access the
> monitor socket in some situations.
> To fix this, libvirt should create a subdirectory per guest.  The
> permissions on /var/lib/libvirt/qemu/ should be relaxed, and the owner
> or SELinux label of /var/lib/libvirt/qemu/<guestname> should be set so
> qemu can access it.
> (I suspect the monitor sockets should really go in /run, but the
> same arguments apply)
> Rich.
> -- 
> Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
> virt-p2v converts physical machines to virtual machines.  Boot with a
> live CD or over the network (PXE) and turn machines into KVM guests.
> http://libguestfs.org/virt-v2v

More information about the libvir-list mailing list