On 03/09/2012 09:16 AM, Jiri Denemark wrote:
Hi.
On Fri, Mar 09, 2012 at 11:32:47 +0000, Stefan Hajnoczi wrote:
...
> static __inline__ int platform_test_xfs_fd(int fd)
> {
> struct statfs buf;
> if (fstatfs(fd, &buf) < 0)
> return 0;
> return (buf.f_type == 0x58465342); /* XFSB */
> }
>
> In other words, XFS detection will fail when SELinux is enabled.
>
> I'm not familiar with libvirt's use of SELinux. Can someone explain
> if we need to expand the policy in libvirt and how to do that?
Actually, there is no SELinux policy in libvirt. Libvirt merely uses an
appropriate security context when running qemu processes. The rules what such
processes can do and what they are forbidden to do are described in SELinux
policy which is provided as a separate package (or packages on some distros).
So it's this policy (selinux-policy package on Fedora based distros) which
would need to be expanded. Thus it should be negotiated with SELinux policy
maintainers if they are willing to allow svirt_t domain calling fstatfs.
(Also, since the problem occurs on NFS, this may need to be somehow
related to virt_use_nfs being turned on.)
As far as I understand from the conversation yesterday, this use of
fstatfs was added into qemu as part of a "hack" to improve performance
of guests whose images were on NFS shares. This was a problem in
RHEL6.1, for example. The lower level problems that caused poor
performance of images on NFS and necessitated this problem have been
fixed and, for example, are already in RHEL6.2, so the code is in the
process of being removed from QEMU.
So am I correct that this extra permission is only needed for a single
RHEL6 release? If qemu won't be doing fstafs on an ongoing basis, it
doesn't seem like a good idea to permanently open up the permissions
allowed by virt_use_nfs