[libvirt-users] libvirt, selinux, moving images to ~/images does not work
Alexey Kardashevskiy
aik at ozlabs.ru
Mon Apr 8 23:10:18 UTC 2013
On 04/09/2013 06:09 AM, Eric Blake wrote:
> On 04/08/2013 01:14 AM, Alexey Kardashevskiy wrote:
>> Hi!
>>
>> Setting security_driver to "none" (instead of "selinux") fixed the
>> problem so I presumed that selinux is the problem here. But you're right
>> after all, this helped:
>>
>> [root at vpl2 ~]# chmod 777 /home/aik/
>> [root at vpl2 ~]# chmod 777 /home/aik/virtimg/
>
> It may have helped, but it also opened you up to a security hole. You
> generally don't want permissions to be this wide open on your home
> directory. Rather, the use of ACLs or group (but not world) permissions
> should be considered, so that access is granted to the qemu group but
> not to the world.
Yes, right, my point was that it is not always first DAC and only then MAC.
Here it is domain type check, then DAC user access check and only then MAC
user access check, correct?.
--
Alexey
More information about the libvirt-users
mailing list