On 2/22/23 12:30, Stefano Brivio wrote:
>>
>> I don't think we need such drastic measure. I think you can use:
>>
>> qemuPasstStart()
>> {
>>
>>
>> seclabel = virDomainDefGetSecurityLabelDef(vm->def, "selinux");
>> s = context_new(seclabel->label);
>> context_type_set(s, "virt_t);
>> newLabel = context_str(s);
>>
>> virCommandSetSELinuxLabel(cmd, newLabel);
>>
>> virCommandRun();
>> }
>
> Yes, I actually tried something like this and it seemed to work, but I
> didn't propose it as it looks (is) gross.
>
Agreed, it's not something I'd show to my kids, but it works.
> On the other hand, if you think it's acceptable as a temporary measure,
> let me test it (in a bit). Thanks for the snippet.
>
Forgot to mention, it should be wrapped in #ifdef WITH_SELINUX as we
offer users to compile without SELinux support (e.g. FreeBSD which does
support QEMU but doesn't have SELinux, what a surprise, right?).
Michal
