[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] unable to set security context (NFSv4 problem?)



Harald Dunkel wrote:
Hi Spencer,

I could reproduce the EINVAL on the command line:

	srvl022:/storage# touch /storage/x
	srvl022:/storage# chown 110:140 /storage/x
	chown: changing ownership of `/storage/x': Invalid argument

110 and 140 are not valid UIDs and GIDs on the NFS
server. They are defined in the local passwd/group files
on the libvirt server only. After defining the user and
group on the NFS server the error message is gone.

Obviously NFSv4 is a little bit picky about remote root
users trying to change the ownership of files. This seems
to break qemuSecurityDACSetOwnership() in qemu_security_dac.c,
giving me the "unable to set security context" message.

Do you think it would be possible to introduce a configure
option '--with-dac=no'?

I think that would be a little misleading ;) It sounds like part of the problem was that the error message wasn't clearly conveying the reason for the problem. It wasn't an SELinux security context that was causing issues, it was DAC user/group. I just submitted a patch to clarify the error message to reference user/group instead of "security context."

--Spencer


Regards

Harri


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]