On 3/8/23 11:49 PM, Laine Stump wrote:
All the necessary explanation is in Path 3/4
We may want to turn on this same behavior for some other external
processes, but right now the one we need it for is passt.
Resolves:
https://bugzilla.redhat.com/2172267
I forgot to mention that proper operation requires the latest updates to
passt, as well as a patch to selinux-policy that still needs to be
posted/merged.
Laine Stump (4):
util: add an API to retrieve the resolved path to a virCommand's
binary
security: make args to virSecuritySELinuxContextAddRange() const
security: make it possible to set SELinux label of child process from
its binary
qemu: set SELinux label of passt process to its own binary's label
src/libvirt_private.syms | 1 +
src/qemu/qemu_dbus.c | 2 +-
src/qemu/qemu_passt.c | 2 +-
src/qemu/qemu_process.c | 2 +-
src/qemu/qemu_security.c | 5 ++-
src/qemu/qemu_security.h | 1 +
src/qemu/qemu_slirp.c | 2 +-
src/qemu/qemu_tpm.c | 3 +-
src/qemu/qemu_vhost_user_gpu.c | 2 +-
src/security/security_apparmor.c | 1 +
src/security/security_dac.c | 1 +
src/security/security_driver.h | 1 +
src/security/security_manager.c | 8 +++-
src/security/security_manager.h | 1 +
src/security/security_nop.c | 1 +
src/security/security_selinux.c | 77 ++++++++++++++++++++++++++++++--
src/security/security_stack.c | 5 ++-
src/util/vircommand.c | 51 ++++++++++++++++-----
src/util/vircommand.h | 1 +
19 files changed, 143 insertions(+), 24 deletions(-)