Virtqemud wants to unlink /dev/urandom
mprivozn at redhat.com
Wed Mar 16 12:28:31 UTC 2022
On 3/16/22 12:40, Nikola Knazekova wrote:
> Hi guys,
> Thank you very much for the detailed explanation.
> With the mount namespace feature turned off, there were no SELinux denials.
> Michal I saw yourcommit
> where firstly the existence of devices is checked. I assume when some
> correction is required, virtqemud will still need unlink permission, right?
Correct. So users can still hotplug and hotunplug devices from running
guests. In case of hotunplug libvirt will remove corresponding /dev
node. For instance, PCI devices need /dev/vfio/vfio. But if you
hotunplug last PCI device from your guest, then libvirt will also remove
/dev/vfio/vfio from the namespace.
Therefore, we still need libvirt/virtqemud/virtlxcd to be able to remove
files from under /dev.
More information about the libvir-list