On Sun, 2017-08-27 at 12:20 -0400, Cole Robinson wrote:
This fixes the last issue preventing qemu:///system spice GL from working out of the box: chown'ing the rendernode path so we have permissions to open it.
We skip this if mount namespaces are disabled, so the chown'ing won't interfere with other rendernode users on the host.
https://bugzilla.redhat.com/show_bug.cgi?id=1460804
v2: Add the MOUNT_NAMESPACE handling Drop DAC restore of rendernode
Cole Robinson (2): security: add MANAGER_MOUNT_NAMESPACE flag security: dac: relabel spice rendernode
src/qemu/qemu_driver.c | 2 ++ src/security/security_dac.c | 68 +++++++++++++++++++++++++++++++++++++++++ src/security/security_dac.h | 3 ++ src/security/security_manager.c | 4 ++- src/security/security_manager.h | 1 + 5 files changed, 77 insertions(+), 1 deletion(-)
Looks reasonable and works as expected on my Fedora 26 installation, so for the entire series: Reviewed-by: Andrea Bolognani <abologna@redhat.com> You should document this in the release notes, though :) -- Andrea Bolognani / Red Hat / Virtualization