[libvirt-users] Stop the relabeling of CD images

Eric Blake eblake at redhat.com
Mon Aug 19 20:24:41 UTC 2013 

On 08/19/2013 01:51 PM, Cristian Ciupitu wrote:
> Hi,
> 
> I'm installing the operating system for my virtual machines from CD
> images and I would like for libvirtd to stop relabeling the
> corresponding files.  Since the installation media is no big secret, I
> have labeled the files with system_u:object_r:public_content_t:s0, but
> libvirtd keeps changing them to system_u:object_r:svirt_image_t:s0.  It
> also changes the ownership to qemu:qemu.  This means that I can not make
> the files immutable (chattr +i).

Caveat - this is not something I have tried myself, so try it out, and
feel free to post back if it works or doesn't work for your case.

> 
> The XML dump of the machine looks like this :
> 
>     <disk type='file' device='cdrom'>
>         <driver name='qemu' type='raw'/>
>         <source file='/mnt/extra/Software/Linux/Fedora/Fedora-Live-Desktop-x86_64-19/Fedora-Live-Desktop-x86_64-19-1.iso'>
>             <seclabel relabel='no'/>

Hmm, the documentation at http://libvirt.org/formatdomain.html#seclabel
is a bit stale; the last paragraph mentions that you can apply
per-<disk> seclabel overrides, but fails to mention that model='...' is
valid in that XML.

Since you already know what label you want, it might be worth trying to
force that particular label instead of requesting no relabel, as in:

<source file=...>
  <seclabel model='selinux' relabel='yes'>
    <label>system_u:object_r:public_content_t:s0</label>
  </seclabel>
</source>

so that might get libvirt to stop doing the SELinux relabel dance on
your .iso file.  Then again, I'm not sure if that will prevent libvirt
from trying to "un-label" the device when your guest shuts down.

Then there's the question of the chown, which is caused by the DAC
driver rather than the SELinux driver.  So maybe this would do it:

<source file=...>
  <seclabel model='selinux' relabel='no'/>
  <seclabel model='dac' relabel='no'/>
</source>

I wouldn't be surprised if we need to patch our docs to be more clear
about this.  I also know that there has been talk of a patch for
teaching libvirt how to restore labels to their original state, instead
of the current problem of "restoring" labels to a single default setting
(even where that does not match the original setting).

I'm also not sure why you think to resort to chattr +i, but if using
that causes libvirt heartburn, maybe we have a bug to fix to be more
tolerant of failed label attempts due to chattr.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20130819/c9c27a26/attachment.sig>

More information about the libvirt-users mailing list