19 Dec
2010
19 Dec
'10
6:56 p.m.
On 12/19/2010 08:17 AM, Dan Kenigsberg wrote:
Hi,
I might be wrong here, but it seems that when libvirt spawns a new qemu process, it sets its uid and gid (qemu:qemu by deafult) but does not call initgroups(), so the spawned qemu cannot read files that are owned by qemu auxiliary groups.
Am I right? How difficult is the fix? You are correct that initgroups isn't called.
It looks like it could be fixed with a call to initgroups in qemu_security.c:qemuSecurityDACSetProcessLabel(), but I would defer to Dan Berrange as to whether that's the best place to put it.