From 8c86f8bbc326ff1578989a03b3c98b06634f62c1 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 22 Jul 2021 16:31:34 +0100 Subject: [PATCH 6/7] docs: Correct --selinux-label example The actual label you should use for the internal socket is system_u:object_r:svirt_socket_t:s0 (not svirt_t). The filesystem label is different and was not documented before, so this is added. See also: https://bugzilla.redhat.com/show_bug.cgi?id=1984938 (cherry picked from commit 835762d1c68e30f650032bc8d8280e6140d8e46f) --- docs/nbdkit.pod | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/nbdkit.pod b/docs/nbdkit.pod index 68399eca..5b679895 100644 --- a/docs/nbdkit.pod +++ b/docs/nbdkit.pod @@ -377,9 +377,11 @@ socket. The common — perhaps only — use of this option is to allow libvirt guests which are using SELinux and sVirt confinement to access nbdkit -Unix domain sockets: +Unix domain sockets. The example below shows how to do this. Note +that the socket and filesystem labels are different. - nbdkit --selinux-label system_u:object_r:svirt_t:s0 ... + nbdkit -U /tmp/sock --selinux-label=system_u:object_r:svirt_socket_t:s0 ... + chcon system_u:object_r:svirt_image_t:s0 /tmp/sock =item B<--swap> -- 2.32.0