[Libvir] Thoughts on remote storage support
Daniel P. Berrange
berrange at redhat.com
Tue Oct 16 16:02:15 UTC 2007
On Mon, Oct 15, 2007 at 01:31:47PM +0100, Richard W.M. Jones wrote:
> There's an open-ended access control problem here. libvirtd runs as
> root and host+path gives a way to read and write any file on the system.
>
> Better might be to allow the system administrator to configure
> directories where backup images, snapshots and so on may be located
> (through /etc/libvirtd.conf), and have libvirtd check this, and also
> have an additional level of enforcement through SELinux (as is done with
> Xen images now).
Yep, that is a good idea. Indeed some deployments pretty much require
that. When running with SELinux enforcing, only /var/lib/xen/images is
a valid location for example. Being able to create/manage files on any
part of the filesystem is rather overkill for our needs. Admin defined
directory locations should be more than sufficient.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
More information about the libvir-list
mailing list