[libvirt] <seclabel> inside a //disk/source element
According to the docs, it should be possible to do: <disk device="disk" type="file"> <source file="/path/to/some/file"> <seclabel relabel="no"/> <---- NB </source> <target dev="sda" bus="scsi"/> <driver name="qemu" type="qcow2"/> </disk> However I tried it, and it simply doesn't work. Furthermore I looked at the code in domain_conf.c, and I can't see how it's even supposed to work. It doesn't look to me as if <seclabel> is ever parsed in that context. Can anyone else confirm that this is a bug or point out my error? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v
On Wed, Feb 27, 2013 at 05:14:55PM +0000, Richard W.M. Jones wrote:
According to the docs, it should be possible to do:
<disk device="disk" type="file"> <source file="/path/to/some/file"> <seclabel relabel="no"/> <---- NB </source> <target dev="sda" bus="scsi"/> <driver name="qemu" type="qcow2"/> </disk>
However I tried it, and it simply doesn't work. Furthermore I looked at the code in domain_conf.c, and I can't see how it's even supposed to work. It doesn't look to me as if <seclabel> is ever parsed in that context.
Can anyone else confirm that this is a bug or point out my error?
Historically this was correct, because we only supported labels for one security driver. When we added support for multiple security drivers it seems we caused a regression. <seclabel relabel="no"/> should have been treated as equivalent to <seclabel relabel="no" model="selinux"/> but we're not doing that :-( If you explicitly add the model it'll do what you want. We should still fix this bug though Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On Wed, Feb 27, 2013 at 05:24:26PM +0000, Daniel P. Berrange wrote:
On Wed, Feb 27, 2013 at 05:14:55PM +0000, Richard W.M. Jones wrote:
According to the docs, it should be possible to do:
<disk device="disk" type="file"> <source file="/path/to/some/file"> <seclabel relabel="no"/> <---- NB </source> <target dev="sda" bus="scsi"/> <driver name="qemu" type="qcow2"/> </disk>
However I tried it, and it simply doesn't work. Furthermore I looked at the code in domain_conf.c, and I can't see how it's even supposed to work. It doesn't look to me as if <seclabel> is ever parsed in that context.
Can anyone else confirm that this is a bug or point out my error?
Historically this was correct, because we only supported labels for one security driver. When we added support for multiple security drivers it seems we caused a regression.
<seclabel relabel="no"/>
should have been treated as equivalent to
<seclabel relabel="no" model="selinux"/>
but we're not doing that :-(
This works, thanks. Unfortunately it leads to an even more intractable labelling problem, but I'll follow up on the original BZ here: https://bugzilla.redhat.com/show_bug.cgi?id=912499 Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 100 libraries supported. http://fedoraproject.org/wiki/MinGW
participants (2)
-
Daniel P. Berrange -
Richard W.M. Jones