Re: [PATCH] test: Update README.md

25 Sep 2025


      On Wed, Sep 24, 2025 at 7:06 PM Stefano Brivio  wrote:
...
On Wed, 24 Sep 2025 11:31:31 +0100
"Richard W.M. Jones"  wrote:
...
On Wed, Sep 24, 2025 at 11:09:09AM +0200, Stefano Brivio wrote:
...
And now that you say that, I just realised that it would be as simple
as:
https://libguestfs.org/guestfs-faq.1.html#permission-denied-when-running-lib...
LIBGUESTFS_BACKEND=direct virt-edit...
While that will indeed work, we're trying to discourage people from
doing that, since it removes the other good things that libvirt does,
such as setting up SELinux.
Oh, I see. I guess it makes sense, with a number of caveats:
1. libvirt's SELinux policy doesn't seem to be really maintainable /
   long-term sustainable to me, especially because it's still part of
   fedora-selinux
2. it adds a rather artificial dependency on libvirt, so in the end
   you're running more things, and more complicated ones, even if it's
   not needed
3. the profile is still much looser than what a libguestfs specific
   profile could be, see for example the AppArmor policy I introduced
   at:
https://salsa.debian.org/libvirt-team/guestfs-tools/-/commit/e638b1bcb8a6621...
which, despite being rather loose, is still arguably much stricter
   than this beast (and related add-ons):
https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/usr.s...
and I think a strict subset of it, as well.
Now, it's all a bit simpler with AppArmor as we don't have the
   multi-category security stuff, but conceptually this point should
   apply to SELinux too.
Still, to prepare guest images in our test suite, I think we could
happily use that trick.
For this specific usage, we're not particularly concerned about
security, and guests are essentially trusted. We're using virt-edit to
add root auto-login without password, that's how much we care about
security there.
Seems nobody is objecting to this. I will send another patch to add the trick.
...
...
The real solution here IMHO is for libvirt to make session mode work
for root without changing UID.  It actually goes out of its way to
stop this working at the moment[1].
Rich.
[1] In qemuStateInitialize -> virQEMUDriverConfigNew, I think
Another bit of the solution is probably to introduce a separate
SELinux policy for libguestfs itself. No, sorry, I can't volunteer for
that right now. :(
--
Stefano
-- 
Thanks,

Yumei Huang