[libvirt] /var/lib/libvirt/qemu permissions are wrong
mhcerri at linux.vnet.ibm.com
Fri Jan 10 10:11:32 UTC 2014
I agree with you. Do you have any suggestion how this should be
implemented? My first impression is that the virSecurityManager*
internal API should be extended to support that.
The current code in qemu_process.c already uses
virSecurityManagerClearSocketLabel() to set the correct SELinux context.
However they can't be used to add similar functionality to DAC driver.
On Thu, Jan 09, 2014 at 04:57:30PM +0000, Richard W.M. Jones wrote:
> On Thu, Jan 09, 2014 at 02:12:20PM -0200, Marcelo Cerri wrote:
> > Hi,
> > Any directions regarding which is the best approach to correct the bug
> > reported in https://bugzilla.redhat.com/show_bug.cgi?id=1045040 ?
> [This is a copy of the comment I added to that bug]
> libvirt currently creates the monitor sockets directly in
> /var/lib/libvirt/qemu/ eg:
> $ sudo ls -l /var/lib/libvirt/qemu/
> total 16
> srwxr-xr-x. 1 qemu qemu 0 Jan 6 16:00 builder-rhel6.monitor
> srwxr-xr-x. 1 qemu qemu 0 Dec 20 22:04 builder-rhel7.monitor
> The problem is this doesn't work if we told libvirt to run qemu as
> another UID, which is possible (albeit undocumented):
> <seclabel model='dac' type='static'> <label>user:group</label> </seclabel>
> If you do that you'll find that qemu won't be able to access the
> monitor socket in some situations.
> To fix this, libvirt should create a subdirectory per guest. The
> permissions on /var/lib/libvirt/qemu/ should be relaxed, and the owner
> or SELinux label of /var/lib/libvirt/qemu/<guestname> should be set so
> qemu can access it.
> (I suspect the monitor sockets should really go in /run, but the
> same arguments apply)
> Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
> virt-p2v converts physical machines to virtual machines. Boot with a
> live CD or over the network (PXE) and turn machines into KVM guests.
More information about the libvir-list