On Mon, Jul 23, 2012 at 10:45:21AM +0100, Daniel P. Berrange wrote:
On Sat, Jul 21, 2012 at 09:43:45PM +0100, Richard W.M. Jones wrote:
On Sat, Jul 21, 2012 at 08:20:45PM +0100, Richard W.M. Jones wrote:
Some questions:
Another question ...
<channel type="unix"> <source mode="connect" path="/home/rjones/d/libguestfs/libguestfsSSg3Kl/guestfsd.sock"/> <target type="virtio" name="org.libguestfs.channel.0"/> </channel>
This clause doesn't work when libguestfs/qemu runs as root. As far as I can tell there are a combination of three factors working against it:
(1) libvirt (when run as root) runs qemu as qemu.qemu. Since this user didn't have write access to the socket, it fails. I fixed this by chowning the socket.
What libvirt URI are you using ? If libguest is running as non-root, then I expect you'd want to use qemu:///session.
It's using NULL and expecting libvirt to choose the appropriate connection URI, which does appear to work.
Thus all files would be owned by the matching user ID, and I'd sugest $HOME/.libguestfs/qemu for the directory to store the sockets in.
If libguestfs is running as root, then use qemu:///system and a socket under /var/lib/libguestfs/qemu/
This is fairly sucky. We already make a temporary directory (a randomly named subdirectory of $TMPDIR) and that seems the appropriate place for small temporary files like sockets, especially since the temp cleaner will clean them up properly if we don't.
You could either use the same directory that libvirt uses for the main QEMU monitor socket, or preferrably define standard directories for libguestfs and have them added to the SELinux policy
So just so I'm completely clear about what's happening: (1) SELinux labels are chosen based on the parent directory. (2) By having a standard named parent directory (even $HOME/.libguestfs) SELinux will assign the right label to a socket in this directory, even if libguestfs is not running as root. (3) libguestfs should not be setting labels on anything itself. (4) If a non-root user has never run libguestfs before, then merely the act of libguestfs doing mkdir("$HOME/.libguestfs") [as non-root] will ensure that any sockets in this directory are labelled correctly. Is this right? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming blog: http://rwmj.wordpress.com Fedora now supports 80 OCaml packages (the OPEN alternative to F#) http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora