Re: [Libguestfs] [PATCH 4/7] launch: libvirt: Allow the SELinux label to be set on qcow2 overlay files.
On Thu, Feb 28, 2013 at 02:31:23PM +0000, Richard W.M. Jones wrote:
On Thu, Feb 28, 2013 at 02:24:30PM +0000, Richard W.M. Jones wrote:
> On Thu, Feb 28, 2013 at 02:14:42PM +0000, Matthew Booth wrote:
> > Relabelling the appliance could get complicated wrt multiple
> > appliances running simultaneously.
>
> Right -- I suspect this is buggy actually, but it's quite hard to test
> it since I need to run up lots of guests and run virt-df in parallel
> on them. Also we put <shareable/> on the appliance disk, and I'm not
> sure what libvirt does in that case.
I spun up a few libvirt guests and surprisingly this all seems to
work. I have no idea why :-) I agree with you that it shouldn't work
because the labels should get stomped on by the different connections,
but it seems libvirt is being cleverer somehow.
For any disk with <sharable/> set, libvirt ignores the VM MCS level
and labels the disk with a simple svirt_image_t label which allows
*every* VM running on the host to have read-write access to the
disk.
You can't share disks between VMs, if they have MCS levels attached,
unless the VMs all have the same MCS level themselves.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|