search for: svirt_socket_t

While svirt_t can be used for sockets it does not always guarantee that it will be accessible from a virtual machine. The VM might be running under svirt_tcg_t context which will need a svirt_tcg_t label on the socket in order to access it. There is, however, another label, svirt_socket_t, which is accessible from virt_domain: # sesearch -A -s svirt_t -c unix_stream_socket -p connectto ... allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... }; ... And virt_domain is a type attribute of both svirt_t and svirt_tcg_t: # seinfo -x -a virt_domain Type A...

...nning under svirt_tcg_t > context which will need a svirt_tcg_t label on the socket in order to access it. I don't really know enough about SELinux or the sVirt policy to comment on this, but it's plausible so I'll push it soon, thanks. Rich. > There is, however, another label, svirt_socket_t, which is accessible from > virt_domain: > > # sesearch -A -s svirt_t -c unix_stream_socket -p connectto > ... > allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... }; > ... > > And virt_domain is a type attribute of both svirt_t and svirt_tcg_t...

...3 insertions(+) diff --git a/v2v/input_libvirt_vddk.ml b/v2v/input_libvirt_vddk.ml index a8e4fd5ac78e..cc63f77ce825 100644 --- a/v2v/input_libvirt_vddk.ml +++ b/v2v/input_libvirt_vddk.ml @@ -284,6 +284,9 @@ object (self) add_arg "--selinux-label"; add_arg "system_u:object_r:svirt_socket_t:s0" ); + if shell_command "nbdkit --filter cacheextents memory 1M --run true 2>/dev/null" = 0 + then add_arg "--filter=cacheextents"; + (* Name of the plugin. Everything following is a plugin parameter. *) add_arg "vddk"; --...

...checks that the plugin is available and loadable. > *) >@@ -133,9 +142,17 @@ let common_create plugin_name plugin_args plugin_env = > if have_selinux then ( (* label the socket so qemu can open it *) > add_arg "--selinux-label"; add_arg "system_u:object_r:svirt_socket_t:s0" > ); >+ >+ (* Adding the readahead filter is always a win for our access >+ * patterns. However if it doesn't exist don't worry. >+ *) >+ if Sys.file_exists (filterdir // "nbdkit-readahead-filter.so") then ( >+ add_arg "--filter"...

...which also * checks that the plugin is available and loadable. *) @@ -133,9 +142,17 @@ let common_create plugin_name plugin_args plugin_env = if have_selinux then ( (* label the socket so qemu can open it *) add_arg "--selinux-label"; add_arg "system_u:object_r:svirt_socket_t:s0" ); + + (* Adding the readahead filter is always a win for our access + * patterns. However if it doesn't exist don't worry. + *) + if Sys.file_exists (filterdir // "nbdkit-readahead-filter.so") then ( + add_arg "--filter"; add_arg "readahead&qu...

...ways slow). >> >> @@ -133,9 +142,17 @@ let common_create plugin_name plugin_args >> plugin_env = >>   if have_selinux then (        (* label the socket so qemu can open >> it *) >>     add_arg "--selinux-label"; add_arg >> "system_u:object_r:svirt_socket_t:s0" >>   ); >> + >> +  (* Adding the readahead filter is always a win for our access >> +   * patterns.  However if it doesn't exist don't worry. >> +   *) >> +  if Sys.file_exists (filterdir // "nbdkit-readahead-filter.so") then ( >>...

...add_arg "--newstyle"; (* use newstyle NBD protocol *) - add_arg "--exportname"; add_arg "/"; - if have_selinux then ( (* label the socket so qemu can open it *) - add_arg "--selinux-label"; add_arg "system_u:object_r:svirt_socket_t:s0" - ); - - (* Name of the plugin. Everything following is a plugin parameter. *) - add_arg "vddk"; - - let password_param = - match input_password with - | None -> - (* nbdkit asks for the password interactively *) - "p...

v3 posted here: https://www.redhat.com/archives/libguestfs/2019-July/msg00200.html v4: - The first patch in the v3 series was just a trivial doc whitespace fix so I pushed it. - There's a new patch using the nbdkit-retry-filter. This is not actually upstream in nbdkit but we know enough about how it will work. - Rebased against master and reran the tests. Rich.

v2 was posted here: https://www.redhat.com/archives/libguestfs/2019-July/msg00115.html This also has links to earlier versions. v3: - The 01/11 patch in v2 included a bunch of unnecessary plus one necessary change to how input_password is passed around. I moved the necessary change into the final patch (implementing SSH password authentication) and dropped the rest. - The 01/11

Originally posted here: https://www.redhat.com/archives/libguestfs/2019-April/thread.html#00054 https://www.redhat.com/archives/libguestfs/2019-April/msg00076.html https://www.redhat.com/archives/libguestfs/2019-April/msg00126.html This is a rebase on top of current master branch with no other changes. The first patch in the old series was pushed a while back, and the last "TEMPORARY"