libvir-list-bounces@redhat.com wrote on 08/06/2012 11:18:31 AM:
> From:
>
> Laine Stump <laine@laine.org>
>
> To:
>
> libvir-list@redhat.com
>
> Date:
>
> 08/06/2012 11:27 AM
>
> Subject:
>
> Re: [libvirt] [Patch v3 0/3] Add QEMU network helper support
>
> Sent by:
>
> libvir-list-bounces@redhat.com
>
> On 08/06/2012 10:56 AM, Michal Privoznik wrote:
> > On 03.08.2012 22:33, rmarwah@linux.vnet.ibm.com wrote:
> >> From: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
> >>
> >> QEMU has a new feature which allows QEMU to execute under an
> unprivileged user ID and still be able to
> >> add a tap device to a Linux network bridge.
> >> [...]
> > So I've went ahead, reviewed, ACKed and pushed whole series.
> > I suggest is worth adding some kind of documentation (either a wiki
> > page, or mention it somewhere in docs/ docs/drvqemu.html.in perhaps?) -
> > how to set up bridge-helper.
>
> Yes, it's a bit odd to figure out the right place to document it, since
> there is no setup done within libvirt - libvirt just silently takes
> advantage of it if it's there.
>
> By the way, I had earlier expressed concern about the eventuality that
> we support bridged networking for non-privileged users directly within
> libvirt (via a separate libvirt-networkd and policykit), and the case
> where someone had a working config using the qemu helper - I was worried
> that this person's setup might stop working as a result of the upgrade
> which changed to the newer method of setting up the network (e.g. if
> something needed to be configured to allow that user access via
> policykit, and hadn't been done yet). Since then I've realized that we
> can handle that problem by continuing to fall back to the qemu helper
> when this (for now mythical) new method fails. That removes my only
> concern about this series.
>
> Another issue though - a patch for AppArmor has been included, but I'm
> unclear of whether this needs something done for selinux (either in
> libvirt itself, or in selinux-policy). Does somebody have the updated
> qemu installed on a system with selinux enabled, and could you give it a
> try?
selinux already has the policies to allow qemu helper , here is the link to the patch adding the policies
http://git.fedorahosted.org/cgit/selinux-policy.git/diff/?id=56e0a4b775f29ec13e6f887490ec9fbc6f9897f4
It will be upstream in Fedora.
Regards
Richa
>
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>