Re: [Libguestfs] [PATCH] Use proper label for nbdkit sockets

While svirt_t can be used for sockets it does not always guarantee that it will be accessible from a virtual machine. The VM might be running under svirt_tcg_t context which will need a svirt_tcg_t label on the socket in order to access it.

There is, however, another label, svirt_socket_t, which is accessible from virt_domain: # sesearch -A -s svirt_t -c unix_stream_socket -p connectto ... allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... }; ... And virt_domain is a type attribute of both svirt_t and svirt_tcg_t: # seinfo -x -a virt_domain Type Attributes: 1 attribute virt_domain; svirt_t svirt_tcg_t Resolves: https://bugzilla.redhat.com/1698437 Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com&gt; --- v2v/input_libvirt_vddk.ml | 2 +- v2v/output_rhv_upload.ml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/v2v/input_libvirt_vddk.ml b/v2v/input_libvirt_vddk.ml index e2efef842e8e..4e36ff71f783 100644 --- a/v2v/input_libvirt_vddk.ml +++ b/v2v/input_libvirt_vddk.ml @@ -286,7 +286,7 @@ object add_arg "--newstyle"; (* use newstyle NBD protocol *) add_arg "--exportname"; add_arg "/"; if have_selinux then ( (* label the socket so qemu can open it *) - add_arg "--selinux-label"; add_arg "system_u:object_r:svirt_t:s0" + add_arg "--selinux-label"; add_arg "system_u:object_r:svirt_socket_t:s0" ); (* Name of the plugin. Everything following is a plugin parameter. *) diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml index 0709c8152c4e..5bc6a400725b 100644 --- a/v2v/output_rhv_upload.ml +++ b/v2v/output_rhv_upload.ml @@ -213,7 +213,7 @@ See also the virt-v2v-output-rhv(1) manual.") let args = (* label the socket so qemu can open it *) if have_selinux then - args @ ["--selinux-label"; "system_u:object_r:svirt_t:s0"] + args @ ["--selinux-label"; "system_u:object_r:svirt_socket_t:s0"] else args in args in -- 2.21.0