Comment 11 for bug 1880947

Jeremey,

First of all, I agree with almost everything you said in comment#6 — majorly, keeping embargo dates as short as possible, for all the good reasons you outlined. I was quoting the VMT merely as a guideline, and not as a strict doctrine.

And as discussed on IRC, RHT Product Security (thanks for chiming in here, Nick) is also in broadly in agreement with your thoughts in comment#6—to keep the embargo time frame as reasonably short as possible. So we're all on the same page.

          - - -

Current status (as an addendum to the great summary by Cédric in comment#9):

While testing the fix (i.e. revert of this commit, https://review.opendev.org/#/c/631235/ – "nova-libvirt: conditionalize selinux bind-mount"), we ran into the other SELinux labelling issue that Cedric mentions above. I've described the issue in this publicly-viewable SELinux bug here (https://bugzilla.redhat.com/show_bug.cgi?id=1841822 — "SELinux blocks 'qemu-kvm' running in a container (running in a VM)").

I'm working with Cédric (and also the Red Hat SELinux team) to work out the SELinux policy quirks. I spent a good deal of time yesterday on this, and doing the tests with a fixed SELinux policy that Cédric alluded to in comment#9 above.