On Wed, 14 Jan 2009, Daniel J Walsh wrote:
I think labeling can be done to allow the access to directories, and files. So libvirt could go in an label a file/directory in such a way that the running qemu_t:s0.c10 can read or read/write the file/directory.
Same with the ability to create save images, as long as the labeling is correct. The only problem I see here is the searching of the directory path to the location of the directories. If we want to allow users to store files/directories anywhere, we end up having to allow qemu_t the ability to at least search every directory on the system, and potentially read them. Having the ability to read a directory is sometimes valuable, for a hacker.
I thought the virt-manager etc. tools were moving toward using standardized directories and not allowing users to put VM images just anywhere. -- James Morris <jmorris@namei.org>