On Sun, 2017-08-27 at 12:20 -0400, Cole Robinson wrote:
> This fixes the last issue preventing qemu:///system spice GL from working
> out of the box: chown'ing the rendernode path so we have permissions
> to open it.
>
> We skip this if mount namespaces are disabled, so the chown'ing won't
> interfere with other rendernode users on the host.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1460804
>
> v2:
> Add the MOUNT_NAMESPACE handling
> Drop DAC restore of rendernode
>
> Cole Robinson (2):
> security: add MANAGER_MOUNT_NAMESPACE flag
> security: dac: relabel spice rendernode
>
> src/qemu/qemu_driver.c | 2 ++
> src/security/security_dac.c | 68 +++++++++++++++++++++++++++++++++++++++++
> src/security/security_dac.h | 3 ++
> src/security/security_manager.c | 4 ++-
> src/security/security_manager.h | 1 +
> 5 files changed, 77 insertions(+), 1 deletion(-)
Looks reasonable and works as expected on my Fedora 26
installation, so for the entire series:
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
You should document this in the release notes, though :)
--
Andrea Bolognani / Red Hat / Virtualization
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list