mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-24 13:35:17 +00:00
cf976d9dcf
https://bugzilla.redhat.com/show_bug.cgi?id=1095636 When starting up the domain the domain's NICs are allocated. As of 1f24f682 (v1.0.6) we are able to use multiqueue feature on virtio NICs. It breaks network processing into multiple queues which can be processed in parallel by different host CPUs. The queues are, however, created by opening /dev/net/tun several times. Unfortunately, only the first FD in the row is labelled so when turning the multiqueue feature on in the guest, qemu will get AVC denial. Make sure we label all the FDs needed. Moreover, the default label of /dev/net/tun doesn't allow attaching a queue: type=AVC msg=audit(1399622478.790:893): avc: denied { attach_queue } for pid=7585 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c638,c877 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=tun_socket And as suggested by SELinux maintainers, the tun FD should be labeled as svirt_t. Therefore, we don't need to adjust any range (as done previously by Guannan in ae368ebf) rather set the seclabel of the domain directly. Signed-off-by: Michal Privoznik <mprivozn@redhat.com>