[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] I have no idea why the current version of libvirt works for anyone in enforcing mode.



On Thu, Mar 12, 2009 at 01:39:13PM -0400, Daniel J Walsh wrote:
> Libvirt is executing qemu requiring it to execute pulseaudio which would  
> require the folowing permissions,
>
> #============= svirt_t ==============
> allow svirt_t admin_home_t:dir setattr;
> allow svirt_t admin_home_t:file { read write };
> allow svirt_t pulseaudio_port_t:tcp_socket name_connect;
> allow svirt_t svirt_tmpfs_t:file read;
> allow svirt_t user_tmpfs_t:file read;
>
> Since qemu(svirt_t) is not allowed these permissions, pulseaudio crashes  
> and qemu dies.
>
> I believe you need to run without sound if you are running as root.
>

  That sounds wrong. I would assume that the access to audio is allowed
to whoever owns the console, so the check should not be whether the code
runs as root or foo but if the current user for that code has those
permissions.

  I.e. if user foo uses the console but user bar ssh to the box and
starts a new domain, that check would just not work.
  On the other hand if you are logged on the console as root I don't
see why that test should be applied.

  Can't you extract from SELinux if you have the access instead ?
And pulseaudio should not crash in the first place !

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel veillard com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]