From nobody Mon Feb  9 19:53:46 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1671608655; cv=none;
	d=zohomail.com; s=zohoarc;
	b=a9ZHm0rtGWCiM4SIYBxmO7yOKgkieQ92iSgTZqtpSKdLe6x5SpqyzUz3THWSXMI7eUc3BJTw3mU6DHnewYUeh3kyxMsqWO/1o5bo2Oo4TuYimQ1eDbW1AvXk7YX6kvh3O5x1qNCNOVx4Efu3ZvwcazT3tg52fZdCp1HoH45ry7o=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1671608655;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=cLj0Ng/dZ53Saa9qOT3yh5CsS5PGc3dmQRGEdmVvdsA=;
	b=GqQXwV1WRyp95aT+iaqMzsmL0HLWzVzhV+Z3ya7HlBEzb6V76jQdYrBBzsgRdIDetsIaMvXDt4+WC3ZpExeQFlPLUQAjVC/bRH6ZnJXwHzO3ySLt/WL23HLW0XZWAyeEUK4BPbMcuzj6YuDWPd4FwSvvjimC4CobxmEV6MW/8jk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1671608655171803.3955679944007;
 Tue, 20 Dec 2022 23:44:15 -0800 (PST)
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-658-F3UD6UZ6NnOFM8mMSBOefQ-1; Wed, 21 Dec 2022 02:44:08 -0500
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com
 [10.11.54.10])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5C1492999B4D;
	Wed, 21 Dec 2022 07:44:05 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 44A1E492B00;
	Wed, 21 Dec 2022 07:44:05 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 99A7C19465A8;
	Wed, 21 Dec 2022 07:44:04 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com
 [10.11.54.8])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 8318B1946A72 for <libvir-list@listman.corp.redhat.com>;
 Wed, 21 Dec 2022 07:44:03 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 78BDDC16029; Wed, 21 Dec 2022 07:44:03 +0000 (UTC)
Received: from maggie.redhat.com (unknown [10.43.2.39])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 21976C16027
 for <libvir-list@redhat.com>; Wed, 21 Dec 2022 07:44:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1671608654;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=cLj0Ng/dZ53Saa9qOT3yh5CsS5PGc3dmQRGEdmVvdsA=;
	b=PKCn2/fOBodQmOj6vusGB/Dk/ajSPs55zlBekpQKc0LJZmct9AugmHr1xIMoQS6n5aaNbJ
	PusUTcjgnzll/YzIt5cGPX7gHlmoU5znWF9riwyIvNKABc1S+ZrIxSxcFQzSZOzlKlNKqB
	/6yg+pfnDxNugEqlMif2h7rARBNdNec=
X-MC-Unique: F3UD6UZ6NnOFM8mMSBOefQ-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 7/7] docs: Recommend static seclabels for migration on shared
 storage
Date: Wed, 21 Dec 2022 08:43:57 +0100
Message-Id: 
 <5ac0d7f5d59330fd33db9ab190a7368a8e24ce8f.1671608556.git.mprivozn@redhat.com>
In-Reply-To: <cover.1671608556.git.mprivozn@redhat.com>
References: <cover.1671608556.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1671608656914100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

There are some network FSs (ceph, CIFS) that propagate XATTTs
properly and thus SELinux labels too. In such case using dynamic
seclabels would get in the way of migration as new seclabel is
assigned to the domain on the destination and thus two processes
with different labels (the source and the destination QEMU/helper
process) would try to access the same file. One of them is
necessarily going to be denied access.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
---
 docs/drvqemu.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/drvqemu.rst b/docs/drvqemu.rst
index bbd51066a1..fa23912937 100644
--- a/docs/drvqemu.rst
+++ b/docs/drvqemu.rst
@@ -294,6 +294,13 @@ use the 'context' option when mounting the filesystem =
to set the default label
 to ``system_u:object_r:virt_image_t``. In the case of NFS, there is an
 alternative option, of enabling the ``virt_use_nfs`` SELinux boolean.
=20
+There are some network filesystems, however, that propagate SELinux labels
+properly, just like a local filesystem (e.g. ceph of CIFS). In such case,
+dynamic labelling (described below) might prevent migration of a virtual
+machine as new unique SELinux label is assigned to the virtual machine on =
the
+migration destination side. Users are advised to use static labels (``<sec=
label
+type=3D'static' .../>``).
+
 SELinux sVirt confinement
 ~~~~~~~~~~~~~~~~~~~~~~~~~
=20
--=20
2.38.2