Re: [PATCH] test: Update README.md

[Yumei Huang <yuhuang@redhat.com>]

On Wed, Sep 24, 2025 at 7:06 PM Stefano Brivio <sbrivio@redhat.com> wrote:
>
> On Wed, 24 Sep 2025 11:31:31 +0100
> "Richard W.M. Jones" <rjones@redhat.com> wrote:
>
> > On Wed, Sep 24, 2025 at 11:09:09AM +0200, Stefano Brivio wrote:
> > > And now that you say that, I just realised that it would be as simple
> > > as:
> > >
> > >   https://libguestfs.org/guestfs-faq.1.html#permission-denied-when-running-libguestfs-as-root
> > >
> > >   LIBGUESTFS_BACKEND=direct virt-edit...
> >
> > While that will indeed work, we're trying to discourage people from
> > doing that, since it removes the other good things that libvirt does,
> > such as setting up SELinux.
>
> Oh, I see. I guess it makes sense, with a number of caveats:
>
> 1. libvirt's SELinux policy doesn't seem to be really maintainable /
>    long-term sustainable to me, especially because it's still part of
>    fedora-selinux
>
> 2. it adds a rather artificial dependency on libvirt, so in the end
>    you're running more things, and more complicated ones, even if it's
>    not needed
>
> 3. the profile is still much looser than what a libguestfs specific
>    profile could be, see for example the AppArmor policy I introduced
>    at:
>
>      https://salsa.debian.org/libvirt-team/guestfs-tools/-/commit/e638b1bcb8a6621d0b61907f9269a2506680684f
>
>    which, despite being rather loose, is still arguably much stricter
>    than this beast (and related add-ons):
>
>      https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/usr.sbin.libvirtd.in
>
>    and I think a strict subset of it, as well.
>
>    Now, it's all a bit simpler with AppArmor as we don't have the
>    multi-category security stuff, but conceptually this point should
>    apply to SELinux too.
>
> Still, to prepare guest images in our test suite, I think we could
> happily use that trick.
>
> For this specific usage, we're not particularly concerned about
> security, and guests are essentially trusted. We're using virt-edit to
> add root auto-login without password, that's how much we care about
> security there.

Seems nobody is objecting to this. I will send another patch to add the trick.

>
> > The real solution here IMHO is for libvirt to make session mode work
> > for root without changing UID.  It actually goes out of its way to
> > stop this working at the moment[1].
> >
> > Rich.
> >
> > [1] In qemuStateInitialize -> virQEMUDriverConfigNew, I think
>
> Another bit of the solution is probably to introduce a separate
> SELinux policy for libguestfs itself. No, sorry, I can't volunteer for
> that right now. :(
>
> --
> Stefano
>


-- 
Thanks,

Yumei Huang