On 2/22/23 12:30, Stefano Brivio wrote:
I don't think we need such drastic measure. I think you can use:
qemuPasstStart() {
seclabel = virDomainDefGetSecurityLabelDef(vm->def, "selinux"); s = context_new(seclabel->label); context_type_set(s, "virt_t); newLabel = context_str(s);
virCommandSetSELinuxLabel(cmd, newLabel);
virCommandRun(); }
Yes, I actually tried something like this and it seemed to work, but I didn't propose it as it looks (is) gross.
Agreed, it's not something I'd show to my kids, but it works.
On the other hand, if you think it's acceptable as a temporary measure, let me test it (in a bit). Thanks for the snippet.
Forgot to mention, it should be wrapped in #ifdef WITH_SELINUX as we offer users to compile without SELinux support (e.g. FreeBSD which does support QEMU but doesn't have SELinux, what a surprise, right?). Michal