[If you're using the upstream libguestfs with default settings, then
this does NOT affect you. libvirt isn't required by libguestfs.]
From libguestfs 1.19.41, if you have selected the alternate libvirt
method to launch the appliance, ie, if you have done:
./configure --with-default-attach-method=libvirt
then sVirt is enabled by default.
This is for enhanced security: if a malicious disk image manages to
corrupt the appliance *and* take over qemu, then SELinux provides
additional confinement of the qemu process, ensuring it cannot read or
write arbitrary files or other resources in the host. From Fedora 18,
this will be the default.
However sVirt won't work currently unless you patch libvirt and add
some SELinux policy. The details are in these two bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=853393
https://bugzilla.redhat.com/show_bug.cgi?id=857453
I hope to get these fixes upstream soon.
Furthermore if you want to run 'make check' with libvirt + sVirt +
SELinux=Enforcing, then you'll need to label the 'tmp' directory in
the libguestfs sources:
cd /path/to/libguestfs
chcon --reference=/tmp tmp
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top