Re: Another comment on nbdkit support
On Fri, Jan 19, 2024 at 01:11:19PM +0100, Peter Krempa wrote:
On Fri, Jan 19, 2024 at 12:01:55 +0000, Richard W.M. Jones wrote:
> (2) I'm fairly sure you'll find you need to use --selinux-label at
> some point. This does some SELinux/sVirt voodoo on the socket. We
> found that this was necessary:
>
> nbdkit -U /tmp/sock --selinux-label=system_u:object_r:svirt_socket_t:s0 ...
> chcon system_u:object_r:svirt_image_t:s0 /tmp/sock
>
> to allow qemu clients to connect to nbdkit when SELinux is enabled,
> but only some of the time (like, it works fine without this on either
> Fedora or RHEL, but not the other one, I forget which way round now).
IIRC this is handled by libvirt's security labelling code anyways.
I think that's the labelling of the socket, but there's also the
labelling of the process (nbdkit) side of the socket? They are two
separate things, IIRC. Anyway just noting that we had trouble with
this in the past and the above ^^^ was found to be the solution.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html