Re: [libvirt-users] Stop the relabeling of CD images

From: Martin Kletzander <mkletzan(a)redhat.com&gt; To: Cristian Ciupitu <cristian.ciupitu(a)yahoo.com&gt; Cc: Eric Blake <eblake(a)redhat.com>; libvirt-users <libvirt-users(a)redhat.com&gt; Sent: Tuesday, August 20, 2013 6:05 PM Subject: Re: [libvirt-users] Stop the relabeling of CD images On 08/20/2013 04:19 AM, Cristian Ciupitu wrote: > ----- Original Message ----- >> From: Eric Blake <eblake(a)redhat.com&gt; >> To: Cristian Ciupitu <cristian.ciupitu(a)yahoo.com&gt; >> Cc: libvirt-users <libvirt-users(a)redhat.com&gt; >> Sent: Monday, August 19, 2013 11:24 PM >> Subject: Re: [libvirt-users] Stop the relabeling of CD images > >> So maybe this would do it: >> >> <source file=...> >>     <seclabel model='selinux' relabel='no'/> >>     <seclabel model='dac' relabel='no'/> >> </source> > > I've just tried it and the SELinux label is not changed anymore, but > the ownership is still changed to qemu:qemu. > >> I'm also not sure why you think to resort to chattr +i, but if using >> that causes libvirt heartburn, maybe we have a bug to fix to be more >> tolerant of failed label attempts due to chattr. > > I resorted to `chattr +i` because I got tired of libvirtd messing with > my files even if it wasn't required.  The official versions of libvirtd > from Fedora 18 or 19 used to complain about not being able to change the > files, but the current bleeding edge version hasn't complained (with the > XML config from above). > > To sum it up, SELinux - solved, DAC - not (yet). > I played with it earlier, but I'm not sure which settings we use when. This is just a "possible workaround", even though it might look like it's doing something else.  Anyway, If I'm not mistaken, adding a <shareable/> into the <disk> element should stop all relabeling. Correct me if I'm wrong and post your findings, I'll try how relabel works for DAC with upstream in the meantime.