On 3/8/23 11:49 PM, Laine Stump wrote:All the necessary explanation is in Path 3/4 We may want to turn on this same behavior for some other external processes, but right now the one we need it for is passt. Resolves: https://bugzilla.redhat.com/2172267I forgot to mention that proper operation requires the latest updates to passt, as well as a patch to selinux-policy that still needs to be posted/merged.Laine Stump (4): util: add an API to retrieve the resolved path to a virCommand's binary security: make args to virSecuritySELinuxContextAddRange() const security: make it possible to set SELinux label of child process from its binary qemu: set SELinux label of passt process to its own binary's label src/libvirt_private.syms | 1 + src/qemu/qemu_dbus.c | 2 +- src/qemu/qemu_passt.c | 2 +- src/qemu/qemu_process.c | 2 +- src/qemu/qemu_security.c | 5 ++- src/qemu/qemu_security.h | 1 + src/qemu/qemu_slirp.c | 2 +- src/qemu/qemu_tpm.c | 3 +- src/qemu/qemu_vhost_user_gpu.c | 2 +- src/security/security_apparmor.c | 1 + src/security/security_dac.c | 1 + src/security/security_driver.h | 1 + src/security/security_manager.c | 8 +++- src/security/security_manager.h | 1 + src/security/security_nop.c | 1 + src/security/security_selinux.c | 77 ++++++++++++++++++++++++++++++-- src/security/security_stack.c | 5 ++- src/util/vircommand.c | 51 ++++++++++++++++----- src/util/vircommand.h | 1 + 19 files changed, 143 insertions(+), 24 deletions(-)