Re: [libvirt] I have no idea why the current version of libvirt works for anyone in enforcing mode.
On Fri, Mar 13, 2009 at 10:50:04AM -0400, Daniel J Walsh wrote:
>>How about if we check if you are running with svirt then
don't execute
>>the code. Since I do not want to deal with these avc messages. Either
>>they will happen always and I have to dontaudit them in which case a
>>compromised svirt attacking the /root directory would be dontaudited, or
>>people are going to see avc's all the time.
>
>For that scenario I think it'd be better to make virt-manager prevent
>addition of sound hardware, since its in a position to give feedback
>to the user telling them why sound devices aren't allowed.
>
>
>Daniel
Well there is no protocol currently to tell virt-manager that the
libvirt is running with svirt. I tried to remove a audio device via
virt-manager and it does nothing. Also what happens when virt-manager
configures a remote libvirt? Does the sound card automatically get added?
I was thinking virt-manager could call 'virNodeGetSecurityModel' to see
if the 'selinux' security model was active on the host it was talking
to. Or similar information from the capabilities XML for the host
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|