Re: [libvirt] unable to set security context (NFSv4 problem?)
Harald Dunkel wrote:
Hi Spencer,
I could reproduce the EINVAL on the command line:
srvl022:/storage# touch /storage/x
srvl022:/storage# chown 110:140 /storage/x
chown: changing ownership of `/storage/x': Invalid argument
110 and 140 are not valid UIDs and GIDs on the NFS
server. They are defined in the local passwd/group files
on the libvirt server only. After defining the user and
group on the NFS server the error message is gone.
Obviously NFSv4 is a little bit picky about remote root
users trying to change the ownership of files. This seems
to break qemuSecurityDACSetOwnership() in qemu_security_dac.c,
giving me the "unable to set security context" message.
Do you think it would be possible to introduce a configure
option '--with-dac=no'?
I think that would be a little misleading ;) It sounds like part of the
problem was that the error message wasn't clearly conveying the reason
for the problem. It wasn't an SELinux security context that was causing
issues, it was DAC user/group. I just submitted a patch to clarify the
error message to reference user/group instead of "security context."
--Spencer
Regards
Harri