On 08/30/2011 08:49 AM, Daniel Veillard wrote:
I'm still testing this, but based on how we label the incoming pipe in qemuProcessStart, I think this will solve the problem.
diff --git i/src/qemu/qemu_migration.c w/src/qemu/qemu_migration.c index a2dc97c..38b05a9 100644 --- i/src/qemu/qemu_migration.c if (spec.dest.fd.qemu == -1 || - virSetCloseExec(spec.dest.fd.qemu)< 0 || - virSetCloseExec(spec.dest.fd.local)< 0) { + virSecurityManagerSetImageFDLabel(driver->securityManager, vm, + spec.dest.fd.qemu)< 0) { virReportSystemError(errno, "%s", _("cannot create pipe for tunnelled migration")); goto cleanup;
Okay, I managed to reproduce the problem and this fixes it,
ACK,
Thanks; pushed with this commit message: commit e6b8bc812af254f2ec6321b3cb7e9210b519deb0 Author: Eric Blake <eblake@redhat.com> Date: Mon Aug 29 17:31:42 2011 -0600 qemu: properly label outgoing pipe for tunneled migration Commit 3261761 made it possible to use pipes instead of sockets for outgoing tunneled migration; however, it caused a regression because the pipe was never given a SELinux label. * src/qemu/qemu_migration.c (doTunnelMigrate): Label outgoing pipe. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org