546660 – RFE: Disk ownership: Expose required guest file ownership in capabilities

Bug 546660 - RFE: Disk ownership: Expose required guest file ownership in capabilities

Summary: RFE: Disk ownership: Expose required guest file ownership in capabilities

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Virtualization Tools
Classification:	Community
Component:	libvirt
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Libvirt Maintainers
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	547542 (view as bug list)
Depends On:
Blocks:	libvirtTodoSecurity
TreeView+	depends on / blocked

Reported:	2009-12-11 15:43 UTC by Matthew Booth
Modified:	2014-02-09 16:58 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	547542 (view as bug list)
Environment:
Last Closed:	2014-02-09 16:58:19 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matthew Booth 2009-12-11 15:43:26 UTC

Description of problem:
F12 changed the default user libvirt runs qemu as from root to qemu. However, virStorageVolCreateXML still defaults to creating volumes as owned by root. In addition, there is no API to determine what the ownership should be set to. This means that any tool which uses libvirt to create a volume:

* must be configured based on the target distro.
* will break if the default is overridden.

I don't think changing the virStorageVolCreateXML default is right, because the pool might also be used by another hypervisor with different requirements. Instead, I think a new API on the connection might be necessary. For example:

virConnectGetPermissions(conn) might return:

          <permissions>
            <owner>0744</owner>
            <group>0744</group>
            <mode>0744</mode>
            <volumelabel>virt_image_t</volumelabel>
          </permissions>

Version-Release number of selected component (if applicable):
libvirt-0.7.4-1.fc12.x86_64

Comment 1 Matthew Booth 2009-12-11 15:45:58 UTC

The above is cut/paste from the docs. However, owner and group are clearly bogus ;) Should of course be uid and gid.

Comment 2 Cole Robinson 2012-02-07 22:34:43 UTC

*** Bug 547542 has been marked as a duplicate of this bug. ***

Comment 3 Cole Robinson 2014-02-09 16:58:19 UTC

This is upstream nowadays:

    <secmodel>
      <model>selinux</model>
      <doi>0</doi>
      <baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
      <baselabel type='qemu'>system_u:system_r:svirt_tcg_t:s0</baselabel>
    </secmodel>
    <secmodel>
      <model>dac</model>
      <doi>0</doi>
      <baselabel type='kvm'>+107:+107</baselabel>
      <baselabel type='qemu'>+107:+107</baselabel>
    </secmodel>

Note You need to log in before you can comment on or make changes to this bug.