[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] live snapshot wiki updated
From: |
Jes Sorensen |
Subject: |
Re: [Qemu-devel] live snapshot wiki updated |
Date: |
Tue, 19 Jul 2011 16:09:49 +0200 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110621 Fedora/3.1.11-1.fc14 Thunderbird/3.1.11 |
On 07/19/11 15:58, Eric Blake wrote:
> On 07/19/2011 07:27 AM, Jes Sorensen wrote:
>> Eric, what happens if libvirt in an selinux environment tells QEMU to
>> launch using an image file that is backed by backing file(s)?
>
> Before starting qemu, libvirt first parses all the image files, to see
> if any of them have backing images. For every qcow2 or qed image with a
> backing file, libvirt sets the SELinux context of both the qcow2 image
> and its backing file so that qemu will be able to successfully open()
> them. But if any of those files reside on NFS, then it is not possible
> to label individual files, so it requires setting the SELinux bool
> virt_use_nfs, which thus gives qemu the power to open() arbitrary files
> on NFS, and you've lost security.
Urgh, libvirt parsing image files is really unfortunate, it really
doesn't give me warm fuzzy feelings :( libvirt really should not know
about internals of image formats.
> It would be nice if libvirt had a way to pass fds for every disk and
> backing file up front; then, SELinux can work around the lack of NFS
> per-file labelling by blocking open() in qemu. In fact, this has
> already been proposed:
A cleaner solution seems to have libvirt provide a call-back allowing
QEMU to call out and have libvirt open a file descriptor instead. This
way libvirt can validate it and open it for QEMU and pass it back.
If we cannot do something like this, I would prefer to have backing
files on NFS should simply not be supported when running in an selinux
setup.
Cheers,
Jes
- [Qemu-devel] live snapshot wiki updated, Jes Sorensen, 2011/07/15
- Re: [Qemu-devel] live snapshot wiki updated, Stefan Hajnoczi, 2011/07/18
- Re: [Qemu-devel] live snapshot wiki updated, Jes Sorensen, 2011/07/19
- Re: [Qemu-devel] live snapshot wiki updated, Stefan Hajnoczi, 2011/07/19
- Re: [Qemu-devel] live snapshot wiki updated, Jes Sorensen, 2011/07/19
- Re: [Qemu-devel] live snapshot wiki updated, Eric Blake, 2011/07/19
- Re: [Qemu-devel] live snapshot wiki updated,
Jes Sorensen <=
- Re: [Qemu-devel] live snapshot wiki updated, Eric Blake, 2011/07/19
- Re: [Qemu-devel] live snapshot wiki updated, Jes Sorensen, 2011/07/19
- Re: [Qemu-devel] live snapshot wiki updated, Stefan Hajnoczi, 2011/07/19
- Re: [Qemu-devel] live snapshot wiki updated, Daniel P. Berrange, 2011/07/19
- Re: [Qemu-devel] live snapshot wiki updated, Markus Armbruster, 2011/07/20
- Re: [Qemu-devel] live snapshot wiki updated, Jes Sorensen, 2011/07/20
- Re: [Qemu-devel] live snapshot wiki updated, Daniel P. Berrange, 2011/07/20
- [Qemu-devel] [libvirt] Re: live snapshot wiki updated, Nicolas Sebrecht, 2011/07/20
- Re: [Qemu-devel] [libvirt] Re: live snapshot wiki updated, Daniel P. Berrange, 2011/07/20
- Re: [Qemu-devel] [libvirt] live snapshot wiki updated, Stefan Hajnoczi, 2011/07/20