[libvirt-users] Stop the relabeling of CD images
Cristian Ciupitu
cristian.ciupitu at yahoo.com
Tue Aug 20 20:17:19 UTC 2013
----- Original Message -----
> From: Martin Kletzander <mkletzan at redhat.com>
> To: Cristian Ciupitu <cristian.ciupitu at yahoo.com>
> Cc: Eric Blake <eblake at redhat.com>; libvirt-users <libvirt-users at redhat.com>
> Sent: Tuesday, August 20, 2013 6:05 PM
> Subject: Re: [libvirt-users] Stop the relabeling of CD images
>
> On 08/20/2013 04:19 AM, Cristian Ciupitu wrote:
>> ----- Original Message -----
>>> From: Eric Blake <eblake at redhat.com>
>>> To: Cristian Ciupitu <cristian.ciupitu at yahoo.com>
>>> Cc: libvirt-users <libvirt-users at redhat.com>
>>> Sent: Monday, August 19, 2013 11:24 PM
>>> Subject: Re: [libvirt-users] Stop the relabeling of CD images
>>
>>> So maybe this would do it:
>>>
>>> <source file=...>
>>> <seclabel model='selinux' relabel='no'/>
>>> <seclabel model='dac' relabel='no'/>
>>> </source>
>>
>> I've just tried it and the SELinux label is not changed anymore, but
>> the ownership is still changed to qemu:qemu.
>>
>>> I'm also not sure why you think to resort to chattr +i, but if using
>>> that causes libvirt heartburn, maybe we have a bug to fix to be more
>>> tolerant of failed label attempts due to chattr.
>>
>> I resorted to `chattr +i` because I got tired of libvirtd messing with
>> my files even if it wasn't required. The official versions of libvirtd
>> from Fedora 18 or 19 used to complain about not being able to change the
>> files, but the current bleeding edge version hasn't complained (with the
>> XML config from above).
>>
>> To sum it up, SELinux - solved, DAC - not (yet).
>>
>
> I played with it earlier, but I'm not sure which settings we use when.
> This is just a "possible workaround", even though it might look like
> it's doing something else. Anyway, If I'm not mistaken, adding a
> <shareable/> into the <disk> element should stop all relabeling.
> Correct me if I'm wrong and post your findings, I'll try how relabel
> works for DAC with upstream in the meantime.
<shareable/> didn't work for me. This is what I currently have:
# virsh dumpxml test
...
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source file='/mnt/extra/Software/Linux/Fedora/Fedora-Live-Desktop-x86_64-19/Fedora-Live-Desktop-x86_64-19-1.iso'>
<seclabel model='selinux' relabel='no'/>
</source>
<target dev='hdc' bus='ide'/>
<readonly/>
<shareable/>
<address type='drive' controller='0' bus='1' target='0' unit='0'/>
</disk>
...
And this is what happens:
# ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso
-r--r--r--. root root system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso
# virsh start test
Domain test started
# ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso
-r--r--r--. qemu qemu system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso
Adding <seclabel model='dac' relabel='no'/> under <source> doesn't make
a difference.
Kind regards,
Cristian Ciupitu
More information about the libvirt-users
mailing list