Re: [PATCH] test: Update README.md

public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed

From: Stefano Brivio <sbrivio@redhat.com>
To: "Richard W.M. Jones" <rjones@redhat.com>
Cc: Yumei Huang <yuhuang@redhat.com>,
	passt-dev@passt.top, david@gibson.dropbear.id.au,
	berrange@redhat.com
Subject: Re: [PATCH] test: Update README.md
Date: Wed, 24 Sep 2025 13:05:53 +0200	[thread overview]
Message-ID: <20250924130553.673cc9c0@elisabeth> (raw)
In-Reply-To: <20250924103131.GU1460@redhat.com>

On Wed, 24 Sep 2025 11:31:31 +0100
"Richard W.M. Jones" <rjones@redhat.com> wrote:

> On Wed, Sep 24, 2025 at 11:09:09AM +0200, Stefano Brivio wrote:
> > And now that you say that, I just realised that it would be as simple
> > as:
> > 
> >   https://libguestfs.org/guestfs-faq.1.html#permission-denied-when-running-libguestfs-as-root
> > 
> >   LIBGUESTFS_BACKEND=direct virt-edit...  
> 
> While that will indeed work, we're trying to discourage people from
> doing that, since it removes the other good things that libvirt does,
> such as setting up SELinux.

Oh, I see. I guess it makes sense, with a number of caveats:

1. libvirt's SELinux policy doesn't seem to be really maintainable /
   long-term sustainable to me, especially because it's still part of
   fedora-selinux

2. it adds a rather artificial dependency on libvirt, so in the end
   you're running more things, and more complicated ones, even if it's
   not needed

3. the profile is still much looser than what a libguestfs specific
   profile could be, see for example the AppArmor policy I introduced
   at:

     https://salsa.debian.org/libvirt-team/guestfs-tools/-/commit/e638b1bcb8a6621d0b61907f9269a2506680684f

   which, despite being rather loose, is still arguably much stricter
   than this beast (and related add-ons):

     https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/usr.sbin.libvirtd.in

   and I think a strict subset of it, as well.

   Now, it's all a bit simpler with AppArmor as we don't have the
   multi-category security stuff, but conceptually this point should
   apply to SELinux too.

Still, to prepare guest images in our test suite, I think we could
happily use that trick.

For this specific usage, we're not particularly concerned about
security, and guests are essentially trusted. We're using virt-edit to
add root auto-login without password, that's how much we care about
security there.

> The real solution here IMHO is for libvirt to make session mode work
> for root without changing UID.  It actually goes out of its way to
> stop this working at the moment[1].
> 
> Rich.
> 
> [1] In qemuStateInitialize -> virQEMUDriverConfigNew, I think

Another bit of the solution is probably to introduce a separate
SELinux policy for libguestfs itself. No, sorry, I can't volunteer for
that right now. :(

-- 
Stefano

next prev parent reply	other threads:[~2025-09-24 11:06 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-19  1:43 Yumei Huang
2025-09-19  5:00 ` David Gibson
2025-09-19  9:58 ` Stefano Brivio
2025-09-22  3:03   ` Yumei Huang
2025-09-22 20:03     ` Stefano Brivio
2025-09-23  6:36       ` Yumei Huang
2025-09-23  7:16         ` Yumei Huang
2025-09-23 10:32         ` Stefano Brivio
2025-09-24  1:58           ` David Gibson
2025-09-24  1:58           ` Yumei Huang
2025-09-24  3:44             ` David Gibson
2025-09-24  4:02               ` Yumei Huang
2025-09-24  8:46             ` Stefano Brivio
2025-09-24  8:56               ` Richard W.M. Jones
2025-09-24  9:09                 ` Stefano Brivio
2025-09-24 10:31                   ` Richard W.M. Jones
2025-09-24 11:00                     ` Daniel P. Berrangé
2025-09-25  9:21                       ` Richard W.M. Jones
2025-09-24 11:05                     ` Stefano Brivio [this message]
2025-09-24 11:20                       ` Daniel P. Berrangé
2025-09-24 11:48                         ` Stefano Brivio
2025-09-25  5:16                       ` Yumei Huang
2025-09-23  7:49   ` David Gibson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250924130553.673cc9c0@elisabeth \
    --to=sbrivio@redhat.com \
    --cc=berrange@redhat.com \
    --cc=david@gibson.dropbear.id.au \
    --cc=passt-dev@passt.top \
    --cc=rjones@redhat.com \
    --cc=yuhuang@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).