[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Re: [PATCH] Add huge page support to libvirt, v2..



On Tue, Jul 28, 2009 at 08:04:31AM -0400, Stephen Smalley wrote:
> On Mon, 2009-07-27 at 22:55 +0100, Daniel P. Berrange wrote:
> > 
> > In light of what Chris said about extended attribute support
> > for SELinux I think we, sadly, have no choice by to mount
> > a new instance of hugetlbfs per VM, labelled with the context
> > of that VM. The problem is that this doesn't really fit into
> > the internal architecture we have in the slightest. The
> > SELinux support we have is focused around re-labelling
> > existing resources.
> > 
> > This hugetlbfs support implies that the SELinux driver is
> > altering our command line arg generator, which is not an
> > easy thing for us to support, given the code flow here. 
> > We might have to resort to sick gross hacks.... unless the
> > kernel guys think its easy to add extended attribute support
> > to hugetlbfs in no time at all.
> 
> There is a vfs fallback for setxattr of the security.* namespace to the
> security module, which would work for hugetlbfs if not for the fact that
> policy defines it as a genfscon-labeled filesystem.  We only started
> prohibiting setxattr on genfscon-labeled filesystems in 2.6.30; prior to
> that we only did that for mountpoint-labeled filesystems.  I can
> actually chcon a file in a hugetlbfs mount on 2.6.29.

Ahh, I can get that to work too on 2.6.29, I had previously
been testing 2.6.30 :-)

> To convert hugetlbfs to fully support labeling we'd need
> hugetlbfs_mknod() to call security_inode_init_security() to set up new
> inode security labels, just like shmem_mknod() does for tmpfs.  And then
> we'd need to switch over the policy from genfscon to fs_use_trans.

This sounds like a preferrable plan to me - avoids having to have 100s,
if not 1000s, of isntances of hugetlbfs mounted on large machines, then
John's latest patch for libvirt would pretty much be sufficient. 

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]