Re: RFC: extending sVirt to confine host apps which talk to libvirtd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2011-06-09 at 11:15 -0400, Eric Paris wrote:
> On Mon, 2011-06-06 at 15:41 +0100, Daniel P. Berrange wrote:
> > What follows is a document outlining some thoughts I've been having
> > on extending sVirt to allow confinement of applications which talk
> > to libvirtd on the host, primarily focusing on use of SELinux, but
> > also allowing a simple non-SElinux RBAC mechanism.
> 
> Are we reinventing a lot of PolicyKit?  I don't think policykit does a
> good job of using SELinux but it does attempt to solve most of the same
> problem you are attempting to solve here.  I just want to make sure it
> was looked at, even if I like the approach you are taking here more...

I've not had time to dig deep into this, but a concern I had is how this
might affect other security drivers (in my case, specifically AppArmor,
but DAC alone might also be something to think about as well as any
future drivers like for SMACK or Tomoyo). Using something like
PolicyKit, if it is appropriate, could allow non-SElinux drivers to
benefit as well.

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: This is a digitally signed message part

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]