[libvirt] [PATCH] qemu: don't share kerberos caches between domains

Osier Yang jyang at redhat.com
Thu Jan 24 03:45:57 UTC 2013


On 2013年01月24日 09:26, Eric Blake wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=718377
> complains that there were some SELinux AVCs when using vnc console
> over Kerberos.  The root problem was that Kerberos tries to set up
> a cache file, and if we don't tell it where, then all domains use
> the same cache file, which violates sVirt protections.  Setting the
> environment variable unconditionally should be safe, even for setups
> where Kerboros won't actually create a cache file.
>
> * src/qemu/qemu_process.c (qemuProcessStart): Set KRB5CACHEDIR for
> each domain.
> ---
>   src/qemu/qemu_process.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
> index 55d00e3..986e8ee 100644
> --- a/src/qemu/qemu_process.c
> +++ b/src/qemu/qemu_process.c
> @@ -1,7 +1,7 @@
>   /*
>    * qemu_process.h: QEMU process management
>    *
> - * Copyright (C) 2006-2012 Red Hat, Inc.
> + * Copyright (C) 2006-2013 Red Hat, Inc.
>    *
>    * This library is free software; you can redistribute it and/or
>    * modify it under the terms of the GNU Lesser General Public
> @@ -3857,6 +3857,8 @@ int qemuProcessStart(virConnectPtr conn,
>       virCommandSetPidFile(cmd, priv->pidfile);
>       virCommandDaemonize(cmd);
>       virCommandRequireHandshake(cmd);
> +    virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb",
> +                           driver->cacheDir, vm->def->name);
>

ACK.




More information about the libvir-list mailing list