qemu: fix validation of 'fd' passing for backup job and improve debugability of passed FDs

[PATCH 2/3] docs: backup: Hint at proper selinux labelling of the FD-passed NBD socket

Posted by Peter Krempa via Devel 3 months, 3 weeks ago

From: Peter Krempa <pkrempa@redhat.com>

In case selinux is used on the host the socket passed to qemu needs to
be properly labelled. Add a hint to the example code.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 docs/formatbackup.rst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/formatbackup.rst b/docs/formatbackup.rst
index 155a45a22f..df6392e3bd 100644
--- a/docs/formatbackup.rst
+++ b/docs/formatbackup.rst
@@ -53,6 +53,10 @@ were supplied). The following child elements and attributes are supported:

      import socket
      import libvirt
+     import selinux
+
+     # Optionally setup selinux context for the socket if the distro uses it
+     # selinux.setsockcreatecon_raw("system_u:object_r:svirt_t:s0")

      s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
      s.bind("/path/to/socket")
-- 
2.49.0

Re: [PATCH 2/3] docs: backup: Hint at proper selinux labelling of the FD-passed NBD socket

Posted by Ján Tomko via Devel 3 months, 3 weeks ago

On a Monday in 2025, Peter Krempa via Devel wrote:
>From: Peter Krempa <pkrempa@redhat.com>
>
>In case selinux is used on the host the socket passed to qemu needs to
>be properly labelled. Add a hint to the example code.
>
>Signed-off-by: Peter Krempa <pkrempa@redhat.com>
>---
> docs/formatbackup.rst | 4 ++++
> 1 file changed, 4 insertions(+)
>
>diff --git a/docs/formatbackup.rst b/docs/formatbackup.rst
>index 155a45a22f..df6392e3bd 100644
>--- a/docs/formatbackup.rst
>+++ b/docs/formatbackup.rst
>@@ -53,6 +53,10 @@ were supplied). The following child elements and attributes are supported:
>
>      import socket
>      import libvirt
>+     import selinux
>+
>+     # Optionally setup selinux context for the socket if the distro uses it
>+     # selinux.setsockcreatecon_raw("system_u:object_r:svirt_t:s0")

Should this hint that the category should also match the domain, to be
"properly" labelled?

Either way:

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano

>
>      s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
>      s.bind("/path/to/socket")
>-- 
>2.49.0
>

Re: [PATCH 2/3] docs: backup: Hint at proper selinux labelling of the FD-passed NBD socket

Posted by Peter Krempa via Devel 3 months, 3 weeks ago

On Mon, May 19, 2025 at 18:41:45 +0200, Ján Tomko wrote:
> On a Monday in 2025, Peter Krempa via Devel wrote:
> > From: Peter Krempa <pkrempa@redhat.com>
> > 
> > In case selinux is used on the host the socket passed to qemu needs to
> > be properly labelled. Add a hint to the example code.
> > 
> > Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> > ---
> > docs/formatbackup.rst | 4 ++++
> > 1 file changed, 4 insertions(+)
> > 
> > diff --git a/docs/formatbackup.rst b/docs/formatbackup.rst
> > index 155a45a22f..df6392e3bd 100644
> > --- a/docs/formatbackup.rst
> > +++ b/docs/formatbackup.rst
> > @@ -53,6 +53,10 @@ were supplied). The following child elements and attributes are supported:
> > 
> >      import socket
> >      import libvirt
> > +     import selinux
> > +
> > +     # Optionally setup selinux context for the socket if the distro uses it
> > +     # selinux.setsockcreatecon_raw("system_u:object_r:svirt_t:s0")
> 
> Should this hint that the category should also match the domain, to be
> "properly" labelled?

Well, possibly; but this is actually enough to make it work. I didn't
care digging deeper.

[PATCH 1/3] qemuBackupPrepare: Actually allow 'VIR_STORAGE_NET_HOST_TRANS_FD'
[PATCH 2/3] docs: backup: Hint at proper selinux labelling of the FD-passed NBD socket
[PATCH 3/3] qemu: fd: Log information about passed file descriptor