[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] qemu: don't share kerberos caches between domains

On 01/24/2013 03:53 PM, Cole Robinson wrote:
> On 01/23/2013 08:26 PM, Eric Blake wrote:
>> https://bugzilla.redhat.com/show_bug.cgi?id=718377
>> complains that there were some SELinux AVCs when using vnc console
>> over Kerberos.  The root problem was that Kerberos tries to set up
>> a cache file, and if we don't tell it where, then all domains use
>> the same cache file, which violates sVirt protections.  Setting the
>> environment variable unconditionally should be safe, even for setups
>> where Kerboros won't actually create a cache file.

>> +    virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb",
>> +                           driver->cacheDir, vm->def->name);
>>      ret = virCommandRun(cmd, NULL);
> Thanks for taking a stab at this. The environment variable is actually called
> KRB5RCACHEDIR, and I don't think kerberos creates the directory for us.
> There's also KRB5RCACHENAME for pointing to a file path.

Good thing I haven't pushed yet.  Where is this documented, so that I
can fix my patch to match Kerberos expectations?

> What all this means is that someone should probably reproduce the bug first :)

Unfortunately, I've got a huge learning curve ahead of me if I'm going
to reproduce it (I was just implementing what looked like an easy fix
based on the bugzilla content).

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]