[libvirt] Re: SELinux SVirt/Qemu problems with current qemu design.
James Morris
jmorris at namei.org
Wed Jan 14 20:32:25 UTC 2009
On Wed, 14 Jan 2009, Daniel J Walsh wrote:
> I think labeling can be done to allow the access to directories, and
> files. So libvirt could go in an label a file/directory in such a way
> that the running qemu_t:s0.c10 can read or read/write the file/directory.
>
> Same with the ability to create save images, as long as the labeling is
> correct. The only problem I see here is the searching of the directory
> path to the location of the directories. If we want to allow users to
> store files/directories anywhere, we end up having to allow qemu_t the
> ability to at least search every directory on the system, and
> potentially read them. Having the ability to read a directory is
> sometimes valuable, for a hacker.
I thought the virt-manager etc. tools were moving toward using
standardized directories and not allowing users to put VM images
just anywhere.
--
James Morris
<jmorris at namei.org>
More information about the libvir-list
mailing list