Richard W.M. Jones
2012-Sep-14 15:04 UTC
[Libguestfs] NOTE: In libguestfs 1.19.41, the libvirt backend will have sVirt enabled by default
[If you're using the upstream libguestfs with default settings, then this does NOT affect you. libvirt isn't required by libguestfs.]>From libguestfs 1.19.41, if you have selected the alternate libvirtmethod to launch the appliance, ie, if you have done: ./configure --with-default-attach-method=libvirt then sVirt is enabled by default. This is for enhanced security: if a malicious disk image manages to corrupt the appliance *and* take over qemu, then SELinux provides additional confinement of the qemu process, ensuring it cannot read or write arbitrary files or other resources in the host. From Fedora 18, this will be the default. However sVirt won't work currently unless you patch libvirt and add some SELinux policy. The details are in these two bugs: https://bugzilla.redhat.com/show_bug.cgi?id=853393 https://bugzilla.redhat.com/show_bug.cgi?id=857453 I hope to get these fixes upstream soon. Furthermore if you want to run 'make check' with libvirt + sVirt + SELinux=Enforcing, then you'll need to label the 'tmp' directory in the libguestfs sources: cd /path/to/libguestfs chcon --reference=/tmp tmp Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://et.redhat.com/~rjones/virt-top
Reasonably Related Threads
- ANNOUNCE: libguestfs 1.20 - tools for accessing and modifying virtual machine disk images
- [libvirt] how to use svirt
- How can I make sVirt work with LXC (libvirt-0.9.13)?
- [PATCH] lib: libvirt: If root, run qemu as root.root.
- how-to doc for svirt/SELinux enabling
Wisdom of the Ancients
