7:26 p.m.
https://bugzilla.redhat.com/show_bug.cgi?id=718377
complains that there were some SELinux AVCs when using vnc console
over Kerberos. The root problem was that Kerberos tries to set up
a cache file, and if we don't tell it where, then all domains use
the same cache file, which violates sVirt protections. Setting the
environment variable unconditionally should be safe, even for setups
where Kerboros won't actually create a cache file.
* src/qemu/qemu_process.c (qemuProcessStart): Set KRB5CACHEDIR for
each domain.
---
src/qemu/qemu_process.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 55d00e3..986e8ee 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -1,7 +1,7 @@
/*
* qemu_process.h: QEMU process management
*
- * Copyright (C) 2006-2012 Red Hat, Inc.
+ * Copyright (C) 2006-2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -3857,6 +3857,8 @@ int qemuProcessStart(virConnectPtr conn,
virCommandSetPidFile(cmd, priv->pidfile);
virCommandDaemonize(cmd);
virCommandRequireHandshake(cmd);
+ virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb",
+ driver->cacheDir, vm->def->name);
ret = virCommandRun(cmd, NULL);
--
1.8.1
9:45 p.m.
On 2013年01月24日 09:26, Eric Blake wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=718377
complains that there were some SELinux AVCs when using vnc console
over Kerberos. The root problem was that Kerberos tries to set up
a cache file, and if we don't tell it where, then all domains use
the same cache file, which violates sVirt protections. Setting the
environment variable unconditionally should be safe, even for setups
where Kerboros won't actually create a cache file.
* src/qemu/qemu_process.c (qemuProcessStart): Set KRB5CACHEDIR for
each domain.
---
src/qemu/qemu_process.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 55d00e3..986e8ee 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -1,7 +1,7 @@
/*
* qemu_process.h: QEMU process management
*
- * Copyright (C) 2006-2012 Red Hat, Inc.
+ * Copyright (C) 2006-2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -3857,6 +3857,8 @@ int qemuProcessStart(virConnectPtr conn,
virCommandSetPidFile(cmd, priv->pidfile);
virCommandDaemonize(cmd);
virCommandRequireHandshake(cmd);
+ virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb",
+ driver->cacheDir, vm->def->name);
ACK.
3:45 a.m.
On Wed, Jan 23, 2013 at 06:26:49PM -0700, Eric Blake wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=718377
complains that there were some SELinux AVCs when using vnc console
over Kerberos. The root problem was that Kerberos tries to set up
a cache file, and if we don't tell it where, then all domains use
the same cache file, which violates sVirt protections. Setting the
environment variable unconditionally should be safe, even for setups
where Kerboros won't actually create a cache file.
Rare chance for me to point out a typo to Eric instead of the other
way around:-P s/Kerboros/Kerberos/
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4:53 p.m.
On 01/23/2013 08:26 PM, Eric Blake wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=718377
complains that there were some SELinux AVCs when using vnc console
over Kerberos. The root problem was that Kerberos tries to set up
a cache file, and if we don't tell it where, then all domains use
the same cache file, which violates sVirt protections. Setting the
environment variable unconditionally should be safe, even for setups
where Kerboros won't actually create a cache file.
* src/qemu/qemu_process.c (qemuProcessStart): Set KRB5CACHEDIR for
each domain.
---
src/qemu/qemu_process.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 55d00e3..986e8ee 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -1,7 +1,7 @@
/*
* qemu_process.h: QEMU process management
*
- * Copyright (C) 2006-2012 Red Hat, Inc.
+ * Copyright (C) 2006-2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -3857,6 +3857,8 @@ int qemuProcessStart(virConnectPtr conn,
virCommandSetPidFile(cmd, priv->pidfile);
virCommandDaemonize(cmd);
virCommandRequireHandshake(cmd);
+ virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb",
+ driver->cacheDir, vm->def->name);
ret = virCommandRun(cmd, NULL);
Thanks for taking a stab at this. The environment variable is actually called
KRB5RCACHEDIR, and I don't think kerberos creates the directory for us.
There's also KRB5RCACHENAME for pointing to a file path.
What all this means is that someone should probably reproduce the bug first :)
Thanks,
Cole
6:05 p.m.
On 01/24/2013 03:53 PM, Cole Robinson wrote:
On 01/23/2013 08:26 PM, Eric Blake wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=718377
> complains that there were some SELinux AVCs when using vnc console
> over Kerberos. The root problem was that Kerberos tries to set up
> a cache file, and if we don't tell it where, then all domains use
> the same cache file, which violates sVirt protections. Setting the
> environment variable unconditionally should be safe, even for setups
> where Kerboros won't actually create a cache file.
>
> + virCommandAddEnvFormat(cmd,
"KRB5CACHEDIR=%s/%s.krb",
> + driver->cacheDir, vm->def->name);
>
> ret = virCommandRun(cmd, NULL);
>
Thanks for taking a stab at this. The environment variable is actually called
KRB5RCACHEDIR, and I don't think kerberos creates the directory for us.
There's also KRB5RCACHENAME for pointing to a file path.
Good thing I haven't pushed yet. Where is this documented, so that I
can fix my patch to match Kerberos expectations?
What all this means is that someone should probably reproduce the bug first :)
Unfortunately, I've got a huge learning curve ahead of me if I'm going
to reproduce it (I was just implementing what looked like an easy fix
based on the bugzilla content).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
6:44 p.m.
On 01/24/2013 07:05 PM, Eric Blake wrote:
On 01/24/2013 03:53 PM, Cole Robinson wrote:
> On 01/23/2013 08:26 PM, Eric Blake wrote:
>> https://bugzilla.redhat.com/show_bug.cgi?id=718377
>> complains that there were some SELinux AVCs when using vnc console
>> over Kerberos. The root problem was that Kerberos tries to set up
>> a cache file, and if we don't tell it where, then all domains use
>> the same cache file, which violates sVirt protections. Setting the
>> environment variable unconditionally should be safe, even for setups
>> where Kerboros won't actually create a cache file.
>>
>> + virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb",
>> + driver->cacheDir, vm->def->name);
>>
>> ret = virCommandRun(cmd, NULL);
>>
>
> Thanks for taking a stab at this. The environment variable is actually called
> KRB5RCACHEDIR, and I don't think kerberos creates the directory for us.
> There's also KRB5RCACHENAME for pointing to a file path.
Good thing I haven't pushed yet. Where is this documented, so that I
can fix my patch to match Kerberos expectations?
I just looked at the krb5 code.
>
> What all this means is that someone should probably reproduce the bug first :)
Unfortunately, I've got a huge learning curve ahead of me if I'm going
to reproduce it (I was just implementing what looked like an easy fix
based on the bugzilla content).
Same reason why I never tested it and submitted the obvious patch :)
- Cole
3:45 a.m.
On Thu, Jan 24, 2013 at 07:44:36PM -0500, Cole Robinson wrote:
On 01/24/2013 07:05 PM, Eric Blake wrote:
>>
>> What all this means is that someone should probably reproduce the bug first :)
>
> Unfortunately, I've got a huge learning curve ahead of me if I'm going
> to reproduce it (I was just implementing what looked like an easy fix
> based on the bugzilla content).
>
Same reason why I never tested it and submitted the obvious patch :)
Actually you really don't need to know much, if anything, about Kerberos
to get it working. The key is you don't want to try to install and
configure Kerberos. Instead just deploy freeipa, which hides all the
Kerberos nastiness from you. You just install the RPMs, then run
ipa-server-install, it askes you a couple of really simple questions
and then configures kerberos, ldap, certificate manager and more.
Configuring client machines is no harder. It is easy to just setup
FreeIPA inside a VM
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4319
days inactive
4320
days old
6 comments
4 participants
participants (4)
-
Cole Robinson -
Daniel P. Berrange -
Eric Blake -
Osier Yang