Description of problem: SELinux is not labeling it properly and init script is trying to create the directory on start. Ends up with the wrong label.
Dan, what ends up breaking as a result? (i.e. should it be on the blocker list?)
THe /var/cache/libvirt directory gets wrong SELinux labelling, so virDomainMemoryPeek() api will fail if running SELinux enforcing mode.
Well only if you remove the unconfined.pp package, Since by default libvirt is currently running as an unconfined domain. If qemu processes do not use this directory, nothing bad should happen. But these files will remain mislabeled until we trigger a relabel, and could cause other problems.
Actually QEMU processes do use this directory. What happens with virDomainPeek is: - Application invokes virDomainPeek - Libvirt's QEMU driver, talks to the QEMU monitor console to say 'dump memory region XXX to /var/cache/libivirt/mem.YYYY' - QEMU now writes that requested memory region to the given file - libvirtd them reads the data from that file & deletes it So, QEMU needs to be able to create new files in that directory, and thus we need to make sure labelling is correct.
Ok then this needs to be fixed.
I just build libvirt-0.6.3-2.fc12 in rawhide with the fix, Daniel
DV: you've built the fix into dist-f12, but rawhide is built from dist-f11 at the moment. We need it fixed for F-11, too So, you'll need to: 1) Fix in rpms/libvirt/F-11 and build; the build will go to dist-f11-updates-candidate 2) Request rel-eng to tag it into dist-f11 according to https://fedoraproject.org/wiki/ReleaseEngineering/FinalFreezePolicy
1) done libvirt-0.6.2-3.fc11 built in dist-f11-updates-candidate I let you do 2) Daniel
Tag request https://fedorahosted.org/rel-eng/ticket/1673
This is in rawhide now