[libvirt] [PATCH] qemu: don't share kerberos caches between domains
Cole Robinson
crobinso at redhat.com
Fri Jan 25 00:44:36 UTC 2013
On 01/24/2013 07:05 PM, Eric Blake wrote:
> On 01/24/2013 03:53 PM, Cole Robinson wrote:
>> On 01/23/2013 08:26 PM, Eric Blake wrote:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=718377
>>> complains that there were some SELinux AVCs when using vnc console
>>> over Kerberos. The root problem was that Kerberos tries to set up
>>> a cache file, and if we don't tell it where, then all domains use
>>> the same cache file, which violates sVirt protections. Setting the
>>> environment variable unconditionally should be safe, even for setups
>>> where Kerboros won't actually create a cache file.
>>>
>
>>> + virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb",
>>> + driver->cacheDir, vm->def->name);
>>>
>>> ret = virCommandRun(cmd, NULL);
>>>
>>
>> Thanks for taking a stab at this. The environment variable is actually called
>> KRB5RCACHEDIR, and I don't think kerberos creates the directory for us.
>> There's also KRB5RCACHENAME for pointing to a file path.
>
> Good thing I haven't pushed yet. Where is this documented, so that I
> can fix my patch to match Kerberos expectations?
>
I just looked at the krb5 code.
>>
>> What all this means is that someone should probably reproduce the bug first :)
>
> Unfortunately, I've got a huge learning curve ahead of me if I'm going
> to reproduce it (I was just implementing what looked like an easy fix
> based on the bugzilla content).
>
Same reason why I never tested it and submitted the obvious patch :)
- Cole
More information about the libvir-list
mailing list