Displaying 6 results from an estimated 6 matches for "setfilecon".
2019 Apr 30
0
Re: libvirtd via unix socket using system uri
...a capability that wasn't present? My reading of
> capabilities is that behaviour is indistinguishable until you get an EPERM?
>
> I agree that CAP_DAC_OVERRIDE (per your later mail) is game over for any
CAP_DAC_OVERRIDE won't be required if you don't need libvirt to
chown()/setfilecon() disk images (dynamic_ownership in qemu.conf).
CAP_SYS_ADMIN is going to be required if you want libvirt to mount some
nfs based storage pools/create namespaces (note that libvirt creates a
small namespace for qemu to run in - might need CAP_MKNOD then).
Long story short, why bother with /syste...
2004 Sep 07
0
Please review openssh patch for selinux
...tty, strerror(errno));
+ } else {
+ if (security_compute_relabel(user_context,old_tty_context,
+ SECCLASS_CHR_FILE,
+ &new_tty_context) != 0) {
+ error("security_compute_relabel(%.100s) failed: %.100s", tty,
+ strerror(errno));
+ } else {
+ if (setfilecon (tty, new_tty_context) != 0)
+ error("setfilecon(%.100s, %s) failed: %.100s",
+ tty, new_tty_context,
+ strerror(errno));
+ freecon(new_tty_context);
+ }
+ freecon(old_tty_context);
+ }
+ if (user_context) {
+ freecon(user_context);
+ }
+ }
+}
+
+void...
2019 Apr 30
2
Re: libvirtd via unix socket using system uri
On Tue, 30 Apr 2019 at 10:48, Daniel P. Berrangé <berrange@redhat.com>
wrote:
> On Tue, Apr 30, 2019 at 10:45:03AM +0100, Peter Crowther wrote:
> > On Tue, 30 Apr 2019 at 10:40, Michal Privoznik <mprivozn@redhat.com>
> wrote:
> >
> > > Is there any problem running libvirtd as root?
> > >
> > > Yes, in the regulated environment in which I
2013 Feb 28
5
[PATCH v2 0/5] Fix SELinux security contexts so we can access shared disks (RHBZ#912499).
Link to version 1:
https://www.redhat.com/archives/libguestfs/2013-February/thread.html#00122
Changes since version 1:
- I've pushed two (of the three) code refactoring patches. The third
one proved rather hard to move.
- selinuxnorelabel option is no more. Instead there is a second
internal API (internal_set_libvirt_selinux_norelabel_disks).
- fixed bogus commit message
-
2014 Jan 16
3
[PATCH 0/2] Don't use snapshot=on
QEMU upstream has broken snapshot=on ... again.
These two patches stop using it entirely. Instead we run
'qemu-img create' to create overlay disks as required.
Note that the libvirt and UML backends were already doing this: The
libvirt backend because <transient/> has never worked, and the UML
backend was running uml_mkcow because the UML-equivalent syntax of
snapshot=on was
2013 Feb 28
7
[PATCH 0/7] Fix SELinux security contexts so we can access shared disks (RHBZ#912499).
https://bugzilla.redhat.com/show_bug.cgi?id=912499
(especially comments 7 & 10)
This patch set is the final fix so that we can access disks in use by
other guests when SELinux and sVirt are enabled.
Previously such disks were inaccessible because sVirt labels the disks
with a random SELinux label to prevent other instances of qemu from
being able to read them. So naturally the libguestfs