On Thu, 2010-04-01 at 14:01 -0400, Scott Moser wrote: > > > 4. libvirt chown's the disk files to root:root for people using > > > qemu:///system. I don't know why it is doing this, but it is likely > > > related to upstream changes (and assumptions) made for the DAC security > > > driver. This seems like someone will need to at least investigate if not > > > patch. > > > > Hmm, okay, I think this is okay. Looking at > > /var/lib/eucalyptus/instances/admin/*/disk, these are owned by > > root:root right now with libvirt 0.7.5-5ubuntu15 and eucalyptus > > 1.6.2-0ubuntu26, which is working. > > Could this be related to apparmor ? As I found in > https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/544435 (but I guess > I ddin't comment there). If you chown root:root the qemu source and qemu > backing device of a qcow image it will work. If either is user-owned, it > will not.
I looked at this a bit more and this is not related to apparmor. 0.7.7 uses a stacked security driver implementation. The primary driver is AppArmor, the secondary the DAC security driver (not to be confused with standard DAC permissions, which are also checked by the kernel on exec of qemu-kvm). If AppArmor allows it, then the DAC security driver is consulted. The DAC security driver is what is doing the chowning. The DAC security driver is always in use, so if you disable AppArmor or SELinux, then DAC becomes the primary driver and there is no secondary (and you'll see the same chowning). This is the new way from upstream. -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
