Re: [Libvir] Thoughts on remote storage support

["Daniel P. Berrange" <berrange redhat com>]

On Mon, Oct 15, 2007 at 01:31:47PM +0100, Richard W.M. Jones wrote:
> There's an open-ended access control problem here.  libvirtd runs as 
> root and host+path gives a way to read and write any file on the system.
> 
> Better might be to allow the system administrator to configure 
> directories where backup images, snapshots and so on may be located 
> (through /etc/libvirtd.conf), and have libvirtd check this, and also 
> have an additional level of enforcement through SELinux (as is done with 
> Xen images now).

Yep, that is a good idea. Indeed some deployments pretty much require
that. When running with SELinux enforcing, only /var/lib/xen/images is
a valid location for example. Being able to create/manage files on any
part of the filesystem is rather overkill for our needs. Admin defined
directory locations should be more than sufficient.

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|