On Mon, Jan 10, 2011 at 12:15:59PM -0500, Cole Robinson wrote: > QEMU supports serving VNC over a unix domain socket rather than traditional > TCP host/port. This is specified with: > > <graphics type='vnc' socket='/foo/bar/baz'/> > > Currently not hooked up with the security driver, I'll wait for Dan's > big reorg. I also have a virtinst/virt-manager patch queued locally to > handle this change. Actually there's nothing you can do with UNIX sockets that QEMU itself is responsible for creating. You just have to make sure you place them in a directory that is labelled virt_image_t and then rely on the policy doing correct labelling. cf the UNIX socket used for the monitor. > To be useful, we probably want a qemu.conf option to use sockets as the > default VNC method, so VMs without hardcoded listen addresses will > magically start up serving over a socket in /var/lib/libvirt/qemu. This > provides better security access control than VNC listening on 127.0.0.1, but > will cause issues with tools that rely on the lax security (virt-manager > in fedora runs as regular user by default, and wouldn't be able to access > a socket owned by 'qemu' or 'root'). Yes, we'd want a qemu.conf option for this, though not enabled by default due to the problem you mention. The only current approach is to make your desktop user be a member of the 'qemu' group which isn't entirely satisfactory for qemu://system. Works nicely for qemu://session though. Daniel -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list