On Thu, Oct 27, 2016 at 8:37 AM, Jiri Denemark <jdenemar(a)redhat.com> wrote:
Yeah, the rule should really be part of this series.
I am working on udev hook-up. I found out that SECLABEL key doesn't
support substitutions (see %c in man 7 udev). I need to fix that first
and then we can have very simple udev rule file that employs helper.
This is my WIP version,
# /etc/udev/rules.d/99-virt.rules
ACTION!="add|change", GOTO="virt_rules_end"
SUBSYSTEM!="block", GOTO="virt_rules_end"
PROGRAM="/usr/local/libexec/libvirt_udevhelper", OWNER="%c{1}",
GROUP="%c{2}", SECLABEL{selinux}="%c{3}", TAG+="libvirt"
LABEL="virt_rules_end"
SECLABEL part doesn't work yet. Also helper uses DEVNODE env variable
to obtain path to work with. It should use DEVNAME. This is my fault,
because I told Michal to use DEVNODE. I've patched it locally for now.
I will send PR to Michal with the fix.
One more thing I want to work on is to close the possibility of a race
when execution of a change event is in-flight and user starts VM. Then
libvirtd writes to devices.udev file and launches qemu driver, but
execution of prior change event may finish and hence reset permissions
to whatever was there before libvirtd wrote to devices.udev database.
That is why I am adding TAG to the device. What we could do, is to
write devices.udev database and then trigger change event from
libvirtd and locally wait for its completion (no need for event-loop
integration), that would be indicated by TAG being present in the
event environment. However, even w/o this, proposed patch series very
much improves current state.
Michal