Re: Virtqemud wants to unlink /dev/urandom
On 3/16/22 12:40, Nikola Knazekova wrote:
Hi guys,
Thank you very much for the detailed explanation.
With the mount namespace feature turned off, there were no SELinux denials.
Michal I saw yourcommit
<https://gitlab.com/libvirt/libvirt/-/commit/22188790cad490f51e73dabcac657...;,
where firstly the existence of devices is checked. I assume when some
correction is required, virtqemud will still need unlink permission, right?
Correct. So users can still hotplug and hotunplug devices from running
guests. In case of hotunplug libvirt will remove corresponding /dev
node. For instance, PCI devices need /dev/vfio/vfio. But if you
hotunplug last PCI device from your guest, then libvirt will also remove
/dev/vfio/vfio from the namespace.
Therefore, we still need libvirt/virtqemud/virtlxcd to be able to remove
files from under /dev.
Michal