From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Z0MOlkea; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id 8C1385A0271 for ; Wed, 24 Sep 2025 13:06:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1758711961; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fa1WdcmxmCz2f91JACGqFDcttLDlZ7N3oirtQm0F6kM=; b=Z0MOlkea/b/dYFlbWuW6cLFSVJxEXjzSgucigMStmH3rFiBTM9mxe3tjTLfwsw+CZ7gxdB Vyd1rdvieZuygZcqr/+APQt4ITjmSwsaKcxsgSjT1CmTglKWRLGcmNMsHYRjoxG4afX+Qf yjqkyUks7Q/+u1+R0Xb3b48hnCQ3NYc= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-265-3Va1yp-gOxCpN5xR0WCP4w-1; Wed, 24 Sep 2025 07:06:00 -0400 X-MC-Unique: 3Va1yp-gOxCpN5xR0WCP4w-1 X-Mimecast-MFC-AGG-ID: 3Va1yp-gOxCpN5xR0WCP4w_1758711959 Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-3ee1317b132so2291967f8f.0 for ; Wed, 24 Sep 2025 04:06:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758711956; x=1759316756; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=fa1WdcmxmCz2f91JACGqFDcttLDlZ7N3oirtQm0F6kM=; b=fx/42pKpldkJVOSqmvHGV9fLEgOWc7rAXzrLtF91rMtCqduXO3ppmzuAZmXXWBiA/d nmMxtCdsRC4EnKr+pi+BPqUZrNsupiBQ9ygVk0TrC2ta0Xys1q8g+zR6NLgQeEOfe04D lbV6qpxEkZHjUdUXqwI3UdTeeZ7QzsdTReCkqPFKRln5O6itxalUN0eG6SJXyaZUFmtW 8TWbNnoE29QSeofPluPTKiBUxcMmEBr/lwqjnIJR3tO1sge4rqQ8G3AqtcI323tXRWs5 fC4YolugGTYnpTTdXAVhVdIqbtkeJb3NYOtfhs/0/t33MO/2vBk2sJY0uJs1znAUWcu+ t97A== X-Forwarded-Encrypted: i=1; AJvYcCW5YugygmffbBMUdkvAML+n2AEDzLKLM7vGSMqFFewSXeShKMn7u2n6zpGpHwS5DX/f+4MmOGW5WqM=@passt.top X-Gm-Message-State: AOJu0YyHKpyZXFqqBqUxOSiDWbFfcVfRGMb9Z69hxzQcVLYPVhxfRMIn aRShyN7f84ZAJ/rVYF3O/6+Y9A1gn4pZrrjn4y95IJjodf3hNdDQyBnEKIUGDUCiUjG46G/8vSc 6MA29WTJ6Cum1clzDdTRTrY3zhtMXFYu36BQxuk0028g5rLRI6gIP/A== X-Gm-Gg: ASbGncsGTmQ5/NEvfhLUGo6HyPflQxh7CI13dPU4kU7npT1/o9DK/yI63zq5tx5fTxe u7Qy+HWDb/dyOGoR5CfZdjbZs03vBRh6dEQvze72P1SoKdPZWwGh0Ofvh5kDsa+3Mw2dzfxlhfZ Hgj8+ZPtQXIsoM3GEhbQNSZLtllGI/JND7sS/W+rAEiAldT22HCs19fsby7YQxZFle3dwSg77cb +u6LOYVqJhjTRbmgjS71QlW2Zrqn87jQIHhphHEIS0Q2JUK81G1sP1wiw7/O7EcnLBySIBgkdpt k0NDkfbITOAR8hkGiwDGMzOJVH/UpM/pI/BAZ8AzXtqPC7P33X0= X-Received: by 2002:a05:6000:615:b0:3ec:db18:1695 with SMTP id ffacd0b85a97d-405cba9ca42mr5188429f8f.45.1758711956367; Wed, 24 Sep 2025 04:05:56 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHFuIq6vyoLnhajm0WKn/qVEqTENHUDLav7yaxxCxItRPd0pYQMZNGMEaJc3dAjZnGVtpalQA== X-Received: by 2002:a05:6000:615:b0:3ec:db18:1695 with SMTP id ffacd0b85a97d-405cba9ca42mr5188386f8f.45.1758711955795; Wed, 24 Sep 2025 04:05:55 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3f88de2d075sm16264191f8f.35.2025.09.24.04.05.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Sep 2025 04:05:54 -0700 (PDT) Date: Wed, 24 Sep 2025 13:05:53 +0200 From: Stefano Brivio To: "Richard W.M. Jones" Subject: Re: [PATCH] test: Update README.md Message-ID: <20250924130553.673cc9c0@elisabeth> In-Reply-To: <20250924103131.GU1460@redhat.com> References: <20250919014329.6007-1-yuhuang@redhat.com> <20250919115822.4e3aab21@elisabeth> <20250922220338.49013fce@elisabeth> <20250923123213.61ddd9d5@elisabeth> <20250924104632.75b3f5a8@elisabeth> <20250924085621.GT1460@redhat.com> <20250924110909.43a16cfa@elisabeth> <20250924103131.GU1460@redhat.com> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: T-77BRKTVKnWhHCKr47r9hzvN_M9JK5gVxOL-FNphB4_1758711959 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: UCEEAZLTJ6LZVCVYFQV4BOYC3IHOTLM5 X-Message-ID-Hash: UCEEAZLTJ6LZVCVYFQV4BOYC3IHOTLM5 X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Yumei Huang , passt-dev@passt.top, david@gibson.dropbear.id.au, berrange@redhat.com X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed, 24 Sep 2025 11:31:31 +0100 "Richard W.M. Jones" wrote: > On Wed, Sep 24, 2025 at 11:09:09AM +0200, Stefano Brivio wrote: > > And now that you say that, I just realised that it would be as simple > > as: > > > > https://libguestfs.org/guestfs-faq.1.html#permission-denied-when-running-libguestfs-as-root > > > > LIBGUESTFS_BACKEND=direct virt-edit... > > While that will indeed work, we're trying to discourage people from > doing that, since it removes the other good things that libvirt does, > such as setting up SELinux. Oh, I see. I guess it makes sense, with a number of caveats: 1. libvirt's SELinux policy doesn't seem to be really maintainable / long-term sustainable to me, especially because it's still part of fedora-selinux 2. it adds a rather artificial dependency on libvirt, so in the end you're running more things, and more complicated ones, even if it's not needed 3. the profile is still much looser than what a libguestfs specific profile could be, see for example the AppArmor policy I introduced at: https://salsa.debian.org/libvirt-team/guestfs-tools/-/commit/e638b1bcb8a6621d0b61907f9269a2506680684f which, despite being rather loose, is still arguably much stricter than this beast (and related add-ons): https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/usr.sbin.libvirtd.in and I think a strict subset of it, as well. Now, it's all a bit simpler with AppArmor as we don't have the multi-category security stuff, but conceptually this point should apply to SELinux too. Still, to prepare guest images in our test suite, I think we could happily use that trick. For this specific usage, we're not particularly concerned about security, and guests are essentially trusted. We're using virt-edit to add root auto-login without password, that's how much we care about security there. > The real solution here IMHO is for libvirt to make session mode work > for root without changing UID. It actually goes out of its way to > stop this working at the moment[1]. > > Rich. > > [1] In qemuStateInitialize -> virQEMUDriverConfigNew, I think Another bit of the solution is probably to introduce a separate SELinux policy for libguestfs itself. No, sorry, I can't volunteer for that right now. :( -- Stefano