Re: [libvirt] [Qemu-devel] QEMU fstatfs(2) and libvirt SELinux policy

On 03/09/2012 09:16 AM, Jiri Denemark wrote: > Hi. > > On Fri, Mar 09, 2012 at 11:32:47 +0000, Stefan Hajnoczi wrote: > ... >> static __inline__ int platform_test_xfs_fd(int fd) >> { >>         struct statfs buf; >>         if (fstatfs(fd, &buf) < 0) >>                 return 0; >>         return (buf.f_type == 0x58465342);      /* XFSB */ >> } >> >> In other words, XFS detection will fail when SELinux is enabled. >> >> I'm not familiar with libvirt's use of SELinux.  Can someone explain >> if we need to expand the policy in libvirt and how to do that? > Actually, there is no SELinux policy in libvirt. Libvirt merely uses an > appropriate security context when running qemu processes. The rules what such > processes can do and what they are forbidden to do are described in SELinux > policy which is provided as a separate package (or packages on some distros). > So it's this policy (selinux-policy package on Fedora based distros) which > would need to be expanded. Thus it should be negotiated with SELinux policy > maintainers if they are willing to allow svirt_t domain calling fstatfs. (Also, since the problem occurs on NFS, this may need to be somehow related to virt_use_nfs being turned on.)