-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/16/2012 11:41 AM, Viktor Mihajlovski wrote: > On 08/10/2012 03:47 PM, Daniel P. Berrange wrote: >> This patch series makes a number of changes to the SELinux label >> generation code. This is intended to make it fully honour the current >> process label when generating VM labels, so that dynamic label generation >> works better with custom policies, or confined user accounts. >> >> -- libvir-list mailing list libvir-list@redhat.com >> https://www.redhat.com/mailman/listinfo/libvir-list >> > > Unfortunately I am not selinux-savvy enough to understand exactly why, but > I cannot start guests any more after pulling master. > > The issue is that the virtual disk's security context (a block device in > this case) cannot be set, message shown below. > > 012-08-16 15:02:18.891+0000: 1536: error : > virSecuritySELinuxSetFileconHelper:652 : unable to set security context > 'system_u:system_r:svirt_image_t:s0:c786,c986' on > '/dev/disk/by-path/ccw-0.0.3770-part1': Invalid argument > > Prior to that the security context would have looked like this > system_u:object_r:svirt_image_t:s0:c153,c923, i.e. using object_r instead > of system_r. > > I am running on RHEL 6.2, not sure whether this is relevant. >
Yes the security context should be system_u:object_r:svirt_image_t:s0:c786,c986 These patches should have just affected the Process label not the file label. On the file label we should alter the role on the file label to include object_r. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAtMVIACgkQrlYvE4MpobMYqQCgz+d7yeXhYXTz0IGFIsRYUqJl GGgAniHHX21m7D5BHZgeMHskS8zww4B1 =Ex2S -----END PGP SIGNATURE----- -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
