Description of problem: <seclabel model='dac' relabel='no'/> does not work, the owner and the group of the file are still changed to qemu:qemu. Version-Release number of selected component (if applicable): libvirt-daemon-1.1.1-2.fc19.x86_64.rpm How reproducible: Every time Steps to Reproduce: 1. Create a virtual machine 2. Attach a CD image to it: # virsh dumpxml test ... <disk type='file' device='cdrom'> <driver name='qemu' type='raw'/> <source file='/mnt/extra/Software/Linux/Fedora/Fedora-Live-Desktop-x86_64-19/Fedora-Live-Desktop-x86_64-19-1.iso'> <seclabel model='selinux' relabel='no'/> <seclabel model='dac' relabel='no'/> </source> <target dev='hdc' bus='ide'/> <readonly/> <shareable/> <address type='drive' controller='0' bus='1' target='0' unit='0'/> </disk> 3. Start the machine: # ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso -r--r--r--. root root system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso # virsh start test Domain test started Actual results: # ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso -r--r--r--. qemu qemu system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso Expected results: The owner & group shouldn't be changed. Additional info: https://www.redhat.com/archives/libvirt-users/2013-August/msg00100.html
Just to avoid any confusion, the RPM was installed from the fedora-virt-preview repository.
Patches for this have been proposed upstream: https://www.redhat.com/archives/libvir-list/2014-March/msg01450.html https://www.redhat.com/archives/libvir-list/2014-April/msg00196.html
Merged upstream as of: commit 9369a562446b7bb5314e6e1f6e65379bc1da6721 Author: Jim Fehlig <jfehlig> AuthorDate: 2014-05-15 16:38:01 -0600 Commit: Jim Fehlig <jfehlig> CommitDate: 2014-05-16 15:32:14 -0600 security_dac: avoid relabeling when relabel='no' If relabel='no' at the domain level, no need to attempt relabeling in virSecurityDAC{Set,Restore}SecurityAllLabel(). Signed-off-by: Michal Privoznik <mprivozn> Signed-off-by: Jim Fehlig <jfehlig> git describe: v1.2.4-84-g9369a56
Confirmed that it works fine with libvirt-daemon-kvm-1.2.7-2.fc20.x86_64.