On Thu, Apr 02, 2026 at 11:12:37 -0400, Cole Robinson via Devel wrote: > Fixed to abide domain seclabel model='dac' override > > Signed-off-by: Cole Robinson <[email protected]> > --- > src/qemu/qemu_domain.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c > index bed8c558d0..c89030b60c 100644 > --- a/src/qemu/qemu_domain.c > +++ b/src/qemu/qemu_domain.c > @@ -9107,6 +9107,8 @@ qemuDomainPrepareStorageSourceNbdkit(virStorageSource > *src, > g_autoptr(qemuNbdkitCaps) nbdkit = NULL; > qemuDomainObjPrivate *priv = vm->privateData; > g_autoptr(virQEMUDriverConfig) cfg = > virQEMUDriverGetConfig(priv->driver); > + uid_t uid; > + gid_t gid; > > if (!cfg->storageUseNbdkit) > return false; > @@ -9118,8 +9120,9 @@ qemuDomainPrepareStorageSourceNbdkit(virStorageSource > *src, > if (!nbdkit) > return false; > > + qemuDomainGetImageIds(cfg, vm->def, NULL, NULL, &uid, &gid);
So here the user/group is used to set the UID/GID of the nbdkit process. But this function also takes 'src' so it would seem to make sense on first glance to pass it to qemuDomainGetImageIds to apply the imagelabel as well. I don't think we want to do that, but the commit is not justifying in any way why qemuDomainGetImageIds is called as it is. Thus you'll have to add a comment expalining why the function is passed only the VM definition. I'd be even more critical to do so if you don't rename it as suggested earlier because qemuDomainGetImageIds really suggests that it ought to have 'src' passed in too. > return qemuNbdkitInitStorageSource(nbdkit, src, priv->libDir, > - alias, cfg->user, cfg->group); > + alias, uid, gid); > } > > > -- > 2.53.0 >
