Re: [libvirt] [PATCH] qemu: don't share kerberos caches between domains

On 01/24/2013 03:53 PM, Cole Robinson wrote: > On 01/23/2013 08:26 PM, Eric Blake wrote: >> https://bugzilla.redhat.com/show_bug.cgi?id=718377 >> complains that there were some SELinux AVCs when using vnc console >> over Kerberos. The root problem was that Kerberos tries to set up >> a cache file, and if we don't tell it where, then all domains use >> the same cache file, which violates sVirt protections. Setting the >> environment variable unconditionally should be safe, even for setups >> where Kerboros won't actually create a cache file. >> >> + virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb", >> + driver->cacheDir, vm->def->name); >> >> ret = virCommandRun(cmd, NULL); >> > > Thanks for taking a stab at this. The environment variable is actually called > KRB5RCACHEDIR, and I don't think kerberos creates the directory for us. > There's also KRB5RCACHENAME for pointing to a file path. Good thing I haven't pushed yet. Where is this documented, so that I can fix my patch to match Kerberos expectations?

> > What all this means is that someone should probably reproduce the bug first :) Unfortunately, I've got a huge learning curve ahead of me if I'm going to reproduce it (I was just implementing what looked like an easy fix based on the bugzilla content).