Bug 568935

Summary: RFE: Skip labelling: Ability to skip disk re-labelling step on a per file basis
Product: [Community] Virtualization Tools Reporter: Cristian Ciupitu <cristian.ciupitu>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, clalance, crobinso, eblake, fedora, hbrock, hggdh2, itamar, jforbes, veillard, virt-maint, xen-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-18 19:44:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 636032    

Description Cristian Ciupitu 2010-02-27 00:33:18 UTC 
Description of problem:
When I use an install ISO image labeled public_content_t, virt-manager will relabel it as virt_content_t without any warnings. It will also change its owner and group to qemu. It should allow virtual machines to read those files (which might also be shared via http, samba or nfs).

Version-Release number of selected component (if applicable):
virt-manager-0.8.2-1.fc12.noarch.rpm

How reproducible:
Every time.

Steps to Reproduce:
1. Create a new VM.
2. Select an ISO image labeled public_content_t.
3. Continue all the steps until the machine is started.
  
Actual results:
The ISO image will be labeled virt_content_t and its owner and group will be changed to qemu.

Expected results:
A warning should be displayed if the permissions of the file need to be changed or even better allow the virtual machine to read public_content_t files.

Additional info:
I'm also using the following packages:
libvirt-0.7.1-15.fc12.x86_64.rpm
selinux-policy-targeted-3.6.32-89.fc12.noarch.rpm

A related RFE is bug #568933.
Comment 1 Cole Robinson 2010-02-27 01:42:34 UTC 
Libvirt is doing the relabeling here. Reassigning.
Comment 2 Cristian Ciupitu 2010-06-05 16:28:07 UTC 
It's still present in libvirt-0.7.7-4.fc13.x86_64.rpm.
Comment 3 Cristian Ciupitu 2010-08-24 16:59:57 UTC 
It's still present in libvirt-0.8.2-1.fc13.x86_64.rpm.
Comment 4 Eric Blake 2012-04-18 19:44:06 UTC 
Done with this commit in 0.9.9:
commit b43432931aef92325920953ff92beabfbe5224c8
Author: Eric Blake <eblake>
Date:   Thu Dec 22 17:47:50 2011 -0700

    seclabel: allow a seclabel override on a disk src
    
    Implement the parsing and formatting of the XML addition of
    the previous commit.  The new XML doesn't affect qemu command
    line, so we can now test round-trip XML->memory->XML handling.
    
    I chose to reuse the existing structure, even though per-device
    override doesn't use all of those fields, rather than create a
    new structure, in order to reuse more code.
    
    * src/conf/domain_conf.h (_virDomainDiskDef): Add seclabel member.
    * src/conf/domain_conf.c (virDomainDiskDefFree): Free it.
    (virSecurityLabelDefFree): New function.
    (virDomainDiskDefFormat): Print it.
    (virSecurityLabelDefFormat): Reduce output if model not present.
    (virDomainDiskDefParseXML): Alter signature, and parse seclabel.
    (virSecurityLabelDefParseXML): Split...
    (virSecurityLabelDefParseXMLHelper): ...into new helper.
    (virDomainDeviceDefParse, virDomainDefParseXML): Update callers.
    * tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.args:
    New file.
    * tests/qemuxml2xmltest.c (mymain): Enhance test.
    * tests/qemuxml2argvtest.c (mymain): Likewise.