Re: [PATCH] security: dac: relabel spice rendernode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jul 17, 2017 at 12:42:12PM -0400, Cole Robinson wrote:
> On 07/17/2017 12:35 PM, Daniel P. Berrange wrote:
> > On Mon, Jul 17, 2017 at 12:31:50PM -0400, Cole Robinson wrote:
> >> For a logged in user this a path like /dev/dri/renderD128 will have
> >> default ownership root:video which won't work for the qemu:qemu user,
> >> so we need to chown it.
> >>
> >> Thankfully with the namespace work we don't need to worry about this
> >> shutting out other legitimate users
> > 
> > We support turning off namespaces, in which case this will harm other
> > users. So at very least we need to make this conditional on namespaces
> > being enabled.
> > 
> 
> I can look into that, but then again it's basically the way the DAC driver
> already works for potentially more invasive scenarios like /dev/sd*,
> /dev/cdrom, USB devices etc etc

My concern is that changing this will break apps in the active desktop
session that are currently using the graphics card too.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux