[libvirt] I have no idea why the current version of libvirt works for anyone in enforcing mode.

Daniel P. Berrange berrange at redhat.com
Fri Mar 13 15:46:02 UTC 2009

On Fri, Mar 13, 2009 at 10:50:04AM -0400, Daniel J Walsh wrote:
> >>How about if we check if you are running with svirt then don't execute
> >>the code.  Since I do not want to deal with these avc messages.  Either
> >>they will happen always and I have to dontaudit them in which case a
> >>compromised svirt attacking the /root directory would be dontaudited, or
> >>people are going to see avc's all the time.
> >
> >For that scenario I think it'd be better to make virt-manager prevent
> >addition of sound hardware, since its in a position to give feedback
> >to the user telling them why sound devices aren't allowed.
> >
> >
> >Daniel
> Well there is no protocol currently to tell virt-manager that the 
> libvirt is running with svirt.  I tried to remove a audio device via 
> virt-manager and it does nothing.  Also what happens when virt-manager 
> configures a remote libvirt?  Does the sound card automatically get added?

I was thinking virt-manager could call 'virNodeGetSecurityModel' to see
if the 'selinux' security model was active on the host it was talking
to. Or similar information from the capabilities XML for the host

|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list