[libvirt] Re: SELinux SVirt/Qemu problems with current qemu design.
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 14 21:11:19 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
James Morris wrote:
> On Wed, 14 Jan 2009, Daniel J Walsh wrote:
>
>> I think labeling can be done to allow the access to directories, and
>> files. So libvirt could go in an label a file/directory in such a way
>> that the running qemu_t:s0.c10 can read or read/write the file/directory.
>>
>> Same with the ability to create save images, as long as the labeling is
>> correct. The only problem I see here is the searching of the directory
>> path to the location of the directories. If we want to allow users to
>> store files/directories anywhere, we end up having to allow qemu_t the
>> ability to at least search every directory on the system, and
>> potentially read them. Having the ability to read a directory is
>> sometimes valuable, for a hacker.
>
> I thought the virt-manager etc. tools were moving toward using
> standardized directories and not allowing users to put VM images
> just anywhere.
>
This is more the iso images used to install virt images can be anywhere.
So a user copies a iso image to his home directory and then installs the
iso using virt-manager. Currently qemu_t would need to read user_home_t
to make this work. If virt-manager/libvirt were to relabel the iso file
to virt_image_t then qemu_t would be able to read it, iff it could
search all of the parent directories.
Daniel, has brought up the fact that additional files/directories could
be added to the image via virt_manager, He is suggesting that
virt-manager/libvirt would label images something like virt_image_t or
virt_image_ro_t.
With Svirt, these would also need the categories added.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkluVPcACgkQrlYvE4MpobPSSACg6eaZhuA+9teDqVN7ebRQkVV2
LTUAn0vKMh9TdHDvJOuT0iIeT3krHeP/
=Q/VZ
-----END PGP SIGNATURE-----
More information about the libvir-list
mailing list