Am 21.05.2012 22:19, schrieb Corey Bryant: > libvirt's sVirt security driver provides SELinux MAC isolation for > Qemu guest processes and their corresponding image files. In other > words, sVirt uses SELinux to prevent a QEMU process from opening > files that do not belong to it. > > sVirt provides this support by labeling guests and resources with > security labels that are stored in file system extended attributes. > Some file systems, such as NFS, do not support the extended > attribute security namespace, and therefore cannot support sVirt > isolation. > > A solution to this problem is to provide fd passing support, where > libvirt opens files and passes file descriptors to QEMU. This, > along with SELinux policy to prevent QEMU from opening files, can > provide image file isolation for NFS files. > > This patch series adds the -filefd command-line option and the > getfd_file monitor command. This will enable libvirt to open a > file and push the corresponding filename and file descriptor to > QEMU. When QEMU needs to "open" a file, it will first check if the > file descriptor was passed by either of these methods before > attempting to actually open the file. I thought we decided to avoid making some file names magic, and instead go for the obvious /dev/fd/42? Kevin -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list