On Wed, Oct 26, 2016 at 17:39:35 +0200, Daniel P. Berrange wrote:
On Wed, Oct 26, 2016 at 02:36:58PM +0200, Michal Privoznik wrote:
> This is a small helper intended to be run by udev. On its input
> (either as the only command line argument or in DEVNODE
> environment vairable) it is given a device and on the output it
> will either put nothing (meaning the device is not used by any of
> the libvirt domains), or it will print out security labels in the
> following form:
>
> UID GID SELABEL
How is this intended to be actually used ? ie what udev rule are
you creating along with this ?
Yeah, the rule should really be part of this series.
IMHO we just want the helper to indicate that udev should not do
anything to the device - we should not need udev to ever set labels
itself as libvirt has already set them - we just don't want udev to
remove them. IOW, I don't see the need to print out this info at all.
That would be nice, but unfortunately there's no way to tell udev not to
touch a specific device (I discussed this stuff with Michal Sekletar).
Other udev rules might have already set UID/GID/SELABEL for the device
and we can only change it to contain the required content; we can't
reset them to "don't change any of these".
And if you were thinking that our rule could be the first rule called on
each device (rather than the last one), there's no way to tell udev to
just skip all other rules and ignore the device. It will run through all
rules and they were set their own UID/GID/SELABEL as they wish.
Jirka