Re: [libvirt] [PATCH] qemu: don't share kerberos caches between domains
On Wed, Jan 23, 2013 at 06:26:49PM -0700, Eric Blake wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=718377
complains that there were some SELinux AVCs when using vnc console
over Kerberos. The root problem was that Kerberos tries to set up
a cache file, and if we don't tell it where, then all domains use
the same cache file, which violates sVirt protections. Setting the
environment variable unconditionally should be safe, even for setups
where Kerboros won't actually create a cache file.
Rare chance for me to point out a typo to Eric instead of the other
way around:-P s/Kerboros/Kerberos/
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|