[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] qemu: don't share kerberos caches between domains



On 01/24/2013 03:53 PM, Cole Robinson wrote:
> On 01/23/2013 08:26 PM, Eric Blake wrote:
>> https://bugzilla.redhat.com/show_bug.cgi?id=718377
>> complains that there were some SELinux AVCs when using vnc console
>> over Kerberos.  The root problem was that Kerberos tries to set up
>> a cache file, and if we don't tell it where, then all domains use
>> the same cache file, which violates sVirt protections.  Setting the
>> environment variable unconditionally should be safe, even for setups
>> where Kerboros won't actually create a cache file.
>>

>> +    virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb",
>> +                           driver->cacheDir, vm->def->name);
>>
>>      ret = virCommandRun(cmd, NULL);
>>
> 
> Thanks for taking a stab at this. The environment variable is actually called
> KRB5RCACHEDIR, and I don't think kerberos creates the directory for us.
> There's also KRB5RCACHENAME for pointing to a file path.

Good thing I haven't pushed yet.  Where is this documented, so that I
can fix my patch to match Kerberos expectations?

> 
> What all this means is that someone should probably reproduce the bug first :)

Unfortunately, I've got a huge learning curve ahead of me if I'm going
to reproduce it (I was just implementing what looked like an easy fix
based on the bugzilla content).

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]