Bug 546660

Summary: RFE: Disk ownership: Expose required guest file ownership in capabilities
Product: [Community] Virtualization Tools Reporter: Matthew Booth <mbooth>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, clalance, crobinso, itamar, jforbes, veillard, virt-maint, xen-maint
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 547542 (view as bug list) Environment:
Last Closed: 2014-02-09 16:58:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 636032    

Description Matthew Booth 2009-12-11 15:43:26 UTC 
Description of problem:
F12 changed the default user libvirt runs qemu as from root to qemu. However, virStorageVolCreateXML still defaults to creating volumes as owned by root. In addition, there is no API to determine what the ownership should be set to. This means that any tool which uses libvirt to create a volume:

* must be configured based on the target distro.
* will break if the default is overridden.

I don't think changing the virStorageVolCreateXML default is right, because the pool might also be used by another hypervisor with different requirements. Instead, I think a new API on the connection might be necessary. For example:

virConnectGetPermissions(conn) might return:

          <permissions>
            <owner>0744</owner>
            <group>0744</group>
            <mode>0744</mode>
            <volumelabel>virt_image_t</volumelabel>
          </permissions>

Version-Release number of selected component (if applicable):
libvirt-0.7.4-1.fc12.x86_64
Comment 1 Matthew Booth 2009-12-11 15:45:58 UTC 
The above is cut/paste from the docs. However, owner and group are clearly bogus ;) Should of course be uid and gid.
Comment 2 Cole Robinson 2012-02-07 22:34:43 UTC 
*** Bug 547542 has been marked as a duplicate of this bug. ***
Comment 3 Cole Robinson 2014-02-09 16:58:19 UTC 
This is upstream nowadays:

    <secmodel>
      <model>selinux</model>
      <doi>0</doi>
      <baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
      <baselabel type='qemu'>system_u:system_r:svirt_tcg_t:s0</baselabel>
    </secmodel>
    <secmodel>
      <model>dac</model>
      <doi>0</doi>
      <baselabel type='kvm'>+107:+107</baselabel>
      <baselabel type='qemu'>+107:+107</baselabel>
    </secmodel>