libvirt doesn't have a concept of "session qemu" for root: https://bugzilla.redhat.com/show_bug.cgi?id=890291
When a libguestfs-using process runs as root, and libvirt runs a qemu subprocess, the qemu subprocess is run as a non-root user (typically qemu.qemu). This causes various problems, for example if we try to open a file which is readable by root but unreadable by qemu.qemu then the operation will fail. This can be changed globally via a configuration file, but it can also be changed by using a <seclabel/> clause in the XML (although I think that's not the only effect): <seclabel type="static" model="dac" relabel="no"> <label>0:0</label> </seclabel> This patch makes that change. I notice that after this change, qemu is indeed running as root. However the file being examined still gets relabelled by SELinux (to virt_content_t IIRC). Maybe this relabelling is in fact desirable. Also as you can see from the patch there are cases where we use another <seclabel model='selinux'/> element to set labels to a known value. It's not clear if we can include both <seclabel/> elements. The patch as shown overrides the selinux seclabel if running as root. Rich. _______________________________________________ Libguestfs mailing list Libguestfs@redhat.com https://www.redhat.com/mailman/listinfo/libguestfs