Re: [libvirt] [PATCHv5 00/13] outgoing fd: migration and virFileOpenAs

On Sat, Mar 26, 2011 at 06:52:29AM -0600, Eric Blake wrote: > This addresses the comments raised during v4: > https://www.redhat.com/archives/libvir-list/2011-March/msg00421.html > More comments in individual patches. > > It could still use a bit more testing with root-squash NFS, and I'm > also hitting a problem where if I run daemon/libvirtd myself, I > get a SELinux error: > > error: unable to set security context 'system_u:object_r:svirt_image_t:s0:c80,c237' on fd 23: Permission denied > > but if I run the system service libvirtd or SELinux permissive, things > work. Somehow, the attempt to set the fd SELinux label on a pipe is > not working when libvirt is started as an unconfined process (that is, > the fd has label > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023) but when > started as a daemon, SELinux is happy to allow the transition. I > suspect that this is a bug in SELinux, since my understanding is that > it should always be possible to go from unconfined to something more > restrictive, but we already proved that SELinux fd labelling is > relatively unused and untested back when we first added it in commit > 34a19dda. > > If possible, I'd like to get this in before the 0.9.0 freeze, and we > can fix any fallout from testing during the freeze week. Okay, go ahead, 5 iterations is a lot already, and we will clean things up as they go later. Reviewing giant patch series ain't fun for anybody (wild guess on my part :-) , and reviewing the fixes is preferable now, ACK