xenbits.xensource.com Git - libvirt.git/commit

author	Michal Privoznik <mprivozn@redhat.com>
	Fri, 13 Jan 2017 09:03:23 +0000 (10:03 +0100)
committer	Michal Privoznik <mprivozn@redhat.com>
	Fri, 13 Jan 2017 13:45:52 +0000 (14:45 +0100)
commit	93a062c3b293685024d60e841a37e93e303f4943
tree	f25815fd60be394620236d0dd9e77d4b4a4dcbdd	tree
parent	b7f01ea0ed82b687b2d296f87b70a1e640b7f245	commit \| diff

qemu: Copy SELinux labels for namespace too

When creating new /dev/* for qemu, we do chown() and copy ACLs to
create the exact copy from the original /dev. I though that
copying SELinux labels is not necessary as SELinux will chose the
sane defaults. Surprisingly, it does not leaving namespace with
the following labels:

crw-rw-rw-. root root system_u:object_r:tmpfs_t:s0     random
crw-------. root root system_u:object_r:tmpfs_t:s0     rtc0
drwxrwxrwt. root root system_u:object_r:tmpfs_t:s0     shm
crw-rw-rw-. root root system_u:object_r:tmpfs_t:s0     urandom

As a result, domain is unable to start:

error: internal error: process exited while connecting to monitor: Error in GnuTLS initialization: Failed to acquire random data.
qemu-kvm: cannot initialize crypto: Unable to initialize GNUTLS library: Failed to acquire random data.

The solution is to copy the SELinux labels as well.

Reported-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>