[libvirt] [PATCH] spec: Yet another permission fix for qemu dirs

[Martin Kletzander]

On Wed, Feb 25, 2015 at 01:29:31PM +0000, Daniel P. Berrange wrote:
>On Wed, Feb 25, 2015 at 09:50:27AM +0100, Martin Kletzander wrote:
>> Since we autogenerate path for QEMU guest agent into
>> LOCALSTATEDIR /lib/libvirt/qemu/channel/target/, the process should be
>> able to access that socket no matter under what user/group it is
>> running co you can set the user/group in qemu.conf.
>>
>> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886
>
>>  %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
>>  %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
>>  %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/
>> -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
>> -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/
>> -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/
>> +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
>> +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/
>> +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/
>>  %dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/
>>  %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
>
>I'm confused how this solves the problem.  If I edit a guest and add
>
>  <seclabel type='static' model='dac' relabel='yes'>
>    <label>berrange:berrange</label>
>  </seclabel>
>
>And launch it, it fails to create the QEMU monitor socket
>
>  error: Failed to start domain serial
>  error: internal error: process exited while connecting to monitor: 2015-02-25T13:26:51.620498Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: Failed to bind socket: Permission denied
>  2015-02-25T13:26:51.620608Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: chardev: opening backend "socket" failed
>
>Because a process running berrange:berrange does not have write permission on
>the /var/lib/libvirt/qemu directory.
>

Yes.  I'm still thinking about how to make this *just work* for
various users on the same system.  The only valid thing would seem to
pass an fd for such sockets which I don't know whether QEMU supports.

>Changing the mode to 0751 doesn't do anything to solve that. After setting the
>dir to mode 0751 qemu still gets the same permission denied when creating the
>monitor socket as it still lacks write permission.
>

I realized that a while after I sent it and I replied to John that
this doesn't fix the problem.  I was just in the middle of writing
that mail when you replied (probably).

>Regards,
>Daniel
>--
>|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
>|: http://libvirt.org              -o-             http://virt-manager.org :|
>|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
>|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150225/1980f29e/attachment-0001.sig>