Cristian Ciupitu
2013-Aug-20 02:19 UTC
Re: [libvirt-users] Stop the relabeling of CD images
----- Original Message -----> From: Eric Blake <eblake@redhat.com> > To: Cristian Ciupitu <cristian.ciupitu@yahoo.com> > Cc: libvirt-users <libvirt-users@redhat.com> > Sent: Monday, August 19, 2013 11:24 PM > Subject: Re: [libvirt-users] Stop the relabeling of CD images> So maybe this would do it: > > <source file=...> > <seclabel model='selinux' relabel='no'/> > <seclabel model='dac' relabel='no'/> > </source>I've just tried it and the SELinux label is not changed anymore, but the ownership is still changed to qemu:qemu.> I'm also not sure why you think to resort to chattr +i, but if using > that causes libvirt heartburn, maybe we have a bug to fix to be more > tolerant of failed label attempts due to chattr.I resorted to `chattr +i` because I got tired of libvirtd messing with my files even if it wasn't required. The official versions of libvirtd from Fedora 18 or 19 used to complain about not being able to change the files, but the current bleeding edge version hasn't complained (with the XML config from above). To sum it up, SELinux - solved, DAC - not (yet). Thank you, Cristian Ciupitu
Martin Kletzander
2013-Aug-20 15:05 UTC
Re: [libvirt-users] Stop the relabeling of CD images
On 08/20/2013 04:19 AM, Cristian Ciupitu wrote:> ----- Original Message ----- >> From: Eric Blake <eblake@redhat.com> >> To: Cristian Ciupitu <cristian.ciupitu@yahoo.com> >> Cc: libvirt-users <libvirt-users@redhat.com> >> Sent: Monday, August 19, 2013 11:24 PM >> Subject: Re: [libvirt-users] Stop the relabeling of CD images > >> So maybe this would do it: >> >> <source file=...> >> <seclabel model='selinux' relabel='no'/> >> <seclabel model='dac' relabel='no'/> >> </source> > > I've just tried it and the SELinux label is not changed anymore, but the > ownership is still changed to qemu:qemu. > >> I'm also not sure why you think to resort to chattr +i, but if using >> that causes libvirt heartburn, maybe we have a bug to fix to be more >> tolerant of failed label attempts due to chattr. > > I resorted to `chattr +i` because I got tired of libvirtd messing with > my files even if it wasn't required. The official versions of libvirtd > from Fedora 18 or 19 used to complain about not being able to change the > files, but the current bleeding edge version hasn't complained (with the > XML config from above). > > To sum it up, SELinux - solved, DAC - not (yet). >I played with it earlier, but I'm not sure which settings we use when. This is just a "possible workaround", even though it might look like it's doing something else. Anyway, If I'm not mistaken, adding a <shareable/> into the <disk> element should stop all relabeling. Correct me if I'm wrong and post your findings, I'll try how relabel works for DAC with upstream in the meantime. Martin
Cristian Ciupitu
2013-Aug-20 20:17 UTC
Re: [libvirt-users] Stop the relabeling of CD images
----- Original Message -----> From: Martin Kletzander <mkletzan@redhat.com> > To: Cristian Ciupitu <cristian.ciupitu@yahoo.com> > Cc: Eric Blake <eblake@redhat.com>; libvirt-users <libvirt-users@redhat.com> > Sent: Tuesday, August 20, 2013 6:05 PM > Subject: Re: [libvirt-users] Stop the relabeling of CD images > > On 08/20/2013 04:19 AM, Cristian Ciupitu wrote: >> ----- Original Message ----- >>> From: Eric Blake <eblake@redhat.com> >>> To: Cristian Ciupitu <cristian.ciupitu@yahoo.com> >>> Cc: libvirt-users <libvirt-users@redhat.com> >>> Sent: Monday, August 19, 2013 11:24 PM >>> Subject: Re: [libvirt-users] Stop the relabeling of CD images >> >>> So maybe this would do it: >>> >>> <source file=...> >>> <seclabel model='selinux' relabel='no'/> >>> <seclabel model='dac' relabel='no'/> >>> </source> >> >> I've just tried it and the SELinux label is not changed anymore, but >> the ownership is still changed to qemu:qemu. >> >>> I'm also not sure why you think to resort to chattr +i, but if using >>> that causes libvirt heartburn, maybe we have a bug to fix to be more >>> tolerant of failed label attempts due to chattr. >> >> I resorted to `chattr +i` because I got tired of libvirtd messing with >> my files even if it wasn't required. The official versions of libvirtd >> from Fedora 18 or 19 used to complain about not being able to change the >> files, but the current bleeding edge version hasn't complained (with the >> XML config from above). >> >> To sum it up, SELinux - solved, DAC - not (yet). >> > > I played with it earlier, but I'm not sure which settings we use when. > This is just a "possible workaround", even though it might look like > it's doing something else. Anyway, If I'm not mistaken, adding a > <shareable/> into the <disk> element should stop all relabeling. > Correct me if I'm wrong and post your findings, I'll try how relabel > works for DAC with upstream in the meantime.<shareable/> didn't work for me. This is what I currently have: # virsh dumpxml test ... <disk type='file' device='cdrom'> <driver name='qemu' type='raw'/> <source file='/mnt/extra/Software/Linux/Fedora/Fedora-Live-Desktop-x86_64-19/Fedora-Live-Desktop-x86_64-19-1.iso'> <seclabel model='selinux' relabel='no'/> </source> <target dev='hdc' bus='ide'/> <readonly/> <shareable/> <address type='drive' controller='0' bus='1' target='0' unit='0'/> </disk> ... And this is what happens: # ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso -r--r--r--. root root system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso # virsh start test Domain test started # ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso -r--r--r--. qemu qemu system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso Adding <seclabel model='dac' relabel='no'/> under <source> doesn't make a difference. Kind regards, Cristian Ciupitu