On 2013年01月24日 09:26, Eric Blake wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=718377 complains that there were some SELinux AVCs when using vnc console over Kerberos. The root problem was that Kerberos tries to set up a cache file, and if we don't tell it where, then all domains use the same cache file, which violates sVirt protections. Setting the environment variable unconditionally should be safe, even for setups where Kerboros won't actually create a cache file. * src/qemu/qemu_process.c (qemuProcessStart): Set KRB5CACHEDIR for each domain. --- src/qemu/qemu_process.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 55d00e3..986e8ee 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -1,7 +1,7 @@ /* * qemu_process.h: QEMU process management * - * Copyright (C) 2006-2012 Red Hat, Inc. + * Copyright (C) 2006-2013 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -3857,6 +3857,8 @@ int qemuProcessStart(virConnectPtr conn, virCommandSetPidFile(cmd, priv->pidfile); virCommandDaemonize(cmd); virCommandRequireHandshake(cmd); + virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb", + driver->cacheDir, vm->def->name);
ACK. -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list