Re: [Libvir] Thoughts on remote storage support
On Mon, Oct 15, 2007 at 01:31:47PM +0100, Richard W.M. Jones wrote:
There's an open-ended access control problem here. libvirtd runs
as
root and host+path gives a way to read and write any file on the system.
Better might be to allow the system administrator to configure
directories where backup images, snapshots and so on may be located
(through /etc/libvirtd.conf), and have libvirtd check this, and also
have an additional level of enforcement through SELinux (as is done with
Xen images now).
Yep, that is a good idea. Indeed some deployments pretty much require
that. When running with SELinux enforcing, only /var/lib/xen/images is
a valid location for example. Being able to create/manage files on any
part of the filesystem is rather overkill for our needs. Admin defined
directory locations should be more than sufficient.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|