Red Hat Bugzilla – Bug 509834
sVirt changing file context impacts other access
Last modified: 2009-08-13 14:30:22 EDT
Description of problem:
The current implementation of sVirt impacts other process access. For example, if a virtual guest defines an ISO image file which is also access by httpd, the file's context is changed from "public_content_t" to "virt_content_t" which makes that file no longer accessable by http. This is wrong!
I suggest that there should be NO changing of file context!
Instead, sVirt should depend on the settings in the standard policy and any policy changes made with semanage.
Furthermore, any file with a context of "public_content_t" or "public_content_rw_t" should be accessible by a guest if it has been defined to that guest.
I am not sure what should be done with real devices such as /dev/sr0.
I also suggest that context 'nfs_t" should also be OK.
If file contexts are not changed, this also eliminates the problem of using read-only file systems.
This report replaces https://bugzilla.redhat.com/show_bug.cgi?id=508865 which I not consider to be a dup of this report.
*** Bug 508865 has been marked as a duplicate of this bug. ***
svirt is designed to change the context of the image files and other devices that it will use. If you want to allow httpd to share virtual image content then you need to write policy to allow it to read virtual images, or turn svirt off (not recommended.) I could add a boolean to allow this share virtual content via httpd if you believe this will be real common.
(In reply to comment #2)
> I could add a boolean to allow this share virtual
> content via httpd if you believe this will be real common.
So this would allow httpd access virt_content_t ?
Gene: would that work for you?
(Otherwise, from what dwalsh is saying, I think we should close this as WONTFIX)
I am satisfied with the way things work with the rawhide packages which have been made available for Fedora 11 (the preview set).
Reseting the context after use works for me.
It is not a matter of WONTFIX but more (IMHO) of BEENFIXED
Gene what change are you referring too?
I was primarily concerned about ISO image files.
When I first started using qemu-kvm-libvirt, the context for the ISO file was changed and then left changed when the guest terminated or the ISO image file was disconnected.
I then started using the virt-preview set of packages when they appeared and, at that time, the context was reset to its "normal" value when the guest was done with that image.
I understand the need to change the context and, since I am only using these image files during install, I can live with the context change for that "brief" period of time.