On 04/06/2018 10:54 AM, Daniel P. Berrangé wrote:
On Fri, Apr 06, 2018 at 10:49:23AM -0400, Stefan Berger wrote:

I would feel better if we just directly killed the process - with
this approach if something goes wrong with swtpm it may never
respond to this request and stay running.
swtpm can write a pidfile. I am only adding this later in this series.
Problem is with --daemon libvirt doesn't know the pid of the swtpm anymore.
The other option is to not use --daemon, and let libvirt write the pid
file, but that introduces the race with socket path creation again
which is not good.
Sounds like we should leave this as it is? Unless swtpm was broken, there
shouldn't be a reason why the we wouldn't be able to shut down swtpm by
sending a command to it. The socket and its directory must not have
disappeared of course.

I reworked this patch series quite a bit. Primarily in regards to the directories for where the data, socket, logfile, and pidfiles are stored. At the moment I need the following two additional SELinux rules for svirt on Fedora 23 (old).

allow svirt_t virtd_t:fifo_file write;
allow svirt_t virtd_t:process sigchld;

Not sure where I can find the sources for the policy, but maybe there's a more recent version that already has it?

Should this first patch be split? Take out the XML parser and generator ?



libvir-list mailing list

Reply via email to