[libvirt-users] Stop the relabeling of CD images

Cristian Ciupitu cristian.ciupitu at yahoo.com
Tue Aug 20 20:17:19 UTC 2013


----- Original Message -----
> From: Martin Kletzander <mkletzan at redhat.com>
> To: Cristian Ciupitu <cristian.ciupitu at yahoo.com>
> Cc: Eric Blake <eblake at redhat.com>; libvirt-users <libvirt-users at redhat.com>
> Sent: Tuesday, August 20, 2013 6:05 PM
> Subject: Re: [libvirt-users] Stop the relabeling of CD images
>
> On 08/20/2013 04:19 AM, Cristian Ciupitu wrote:
>> ----- Original Message -----
>>> From: Eric Blake <eblake at redhat.com>
>>> To: Cristian Ciupitu <cristian.ciupitu at yahoo.com>
>>> Cc: libvirt-users <libvirt-users at redhat.com>
>>> Sent: Monday, August 19, 2013 11:24 PM
>>> Subject: Re: [libvirt-users] Stop the relabeling of CD images
>>
>>> So maybe this would do it:
>>>
>>> <source file=...>
>>>     <seclabel model='selinux' relabel='no'/>
>>>     <seclabel model='dac' relabel='no'/>
>>> </source>
>>
>> I've just tried it and the SELinux label is not changed anymore, but
>> the ownership is still changed to qemu:qemu.
>>
>>> I'm also not sure why you think to resort to chattr +i, but if using
>>> that causes libvirt heartburn, maybe we have a bug to fix to be more
>>> tolerant of failed label attempts due to chattr.
>>
>> I resorted to `chattr +i` because I got tired of libvirtd messing with
>> my files even if it wasn't required.  The official versions of libvirtd
>> from Fedora 18 or 19 used to complain about not being able to change the
>> files, but the current bleeding edge version hasn't complained (with the
>> XML config from above).
>>
>> To sum it up, SELinux - solved, DAC - not (yet).
>>
>
> I played with it earlier, but I'm not sure which settings we use when.
> This is just a "possible workaround", even though it might look like
> it's doing something else.  Anyway, If I'm not mistaken, adding a
> <shareable/> into the <disk> element should stop all relabeling.
> Correct me if I'm wrong and post your findings, I'll try how relabel
> works for DAC with upstream in the meantime.

<shareable/> didn't work for me.  This is what I currently have:

    # virsh dumpxml test
        ...
        <disk type='file' device='cdrom'>
          <driver name='qemu' type='raw'/>
          <source file='/mnt/extra/Software/Linux/Fedora/Fedora-Live-Desktop-x86_64-19/Fedora-Live-Desktop-x86_64-19-1.iso'>
            <seclabel model='selinux' relabel='no'/>
          </source>
          <target dev='hdc' bus='ide'/>
          <readonly/>
          <shareable/>
          <address type='drive' controller='0' bus='1' target='0' unit='0'/>
        </disk>
        ...

And this is what happens:

    # ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso 
    -r--r--r--. root root system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso

    # virsh start test
    Domain test started

    # ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso 
    -r--r--r--. qemu qemu system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso

Adding <seclabel model='dac' relabel='no'/> under <source> doesn't make
a difference.

Kind regards,
Cristian Ciupitu





More information about the libvirt-users mailing list