Re: [Libguestfs] [PATCH for discussion only] lib: libvirt: If root, run qemu subprocess as root.root.
On Mon, May 21, 2018 at 06:22:06PM +0100, Richard W.M. Jones wrote:
libvirt doesn't have a concept of "session qemu" for
root:
https://bugzilla.redhat.com/show_bug.cgi?id=890291
When a libguestfs-using process runs as root, and libvirt runs a qemu
subprocess, the qemu subprocess is run as a non-root user (typically
qemu.qemu). This causes various problems, for example if we try to
open a file which is readable by root but unreadable by qemu.qemu then
the operation will fail.
This can be changed globally via a configuration file, but it can also
be changed by using a <seclabel/> clause in the XML (although I think
that's not the only effect):
<seclabel type="static" model="dac" relabel="no">
<label>0:0</label>
</seclabel>
This patch makes that change.
I notice that after this change, qemu is indeed running as root.
However the file being examined still gets relabelled by SELinux (to
virt_content_t IIRC). Maybe this relabelling is in fact desirable.
If you turn off relabelling you'll certainly get SELinux denials,
unless the files already have the virt_content_t label or equiv.
So if you wanted to prevent SELinux labelling, you would probably
have to turn off SELinux confinement entirely.
Also as you can see from the patch there are cases where we use
another <seclabel model='selinux'/> element to set labels to a known
value. It's not clear if we can include both <seclabel/> elements.
The patch as shown overrides the selinux seclabel if running as root.
Yes, you can set multiple <seclabel> elements in the same guest - in
fact if you look at a running guest you'll see two present. You just
need to make sure "model" attribute is unique on each.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|