-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Morris wrote: > On Wed, 14 Jan 2009, Daniel J Walsh wrote: > >> I think labeling can be done to allow the access to directories, and >> files. So libvirt could go in an label a file/directory in such a way >> that the running qemu_t:s0.c10 can read or read/write the file/directory. >> >> Same with the ability to create save images, as long as the labeling is >> correct. The only problem I see here is the searching of the directory >> path to the location of the directories. If we want to allow users to >> store files/directories anywhere, we end up having to allow qemu_t the >> ability to at least search every directory on the system, and >> potentially read them. Having the ability to read a directory is >> sometimes valuable, for a hacker. > > I thought the virt-manager etc. tools were moving toward using > standardized directories and not allowing users to put VM images > just anywhere. > This is more the iso images used to install virt images can be anywhere. So a user copies a iso image to his home directory and then installs the iso using virt-manager. Currently qemu_t would need to read user_home_t to make this work. If virt-manager/libvirt were to relabel the iso file to virt_image_t then qemu_t would be able to read it, iff it could search all of the parent directories. Daniel, has brought up the fact that additional files/directories could be added to the image via virt_manager, He is suggesting that virt-manager/libvirt would label images something like virt_image_t or virt_image_ro_t. With Svirt, these would also need the categories added. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkluVPcACgkQrlYvE4MpobPSSACg6eaZhuA+9teDqVN7ebRQkVV2 LTUAn0vKMh9TdHDvJOuT0iIeT3krHeP/ =Q/VZ -----END PGP SIGNATURE----- -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list