On 01/23/2013 08:26 PM, Eric Blake wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=718377 > complains that there were some SELinux AVCs when using vnc console > over Kerberos. The root problem was that Kerberos tries to set up > a cache file, and if we don't tell it where, then all domains use > the same cache file, which violates sVirt protections. Setting the > environment variable unconditionally should be safe, even for setups > where Kerboros won't actually create a cache file. > > * src/qemu/qemu_process.c (qemuProcessStart): Set KRB5CACHEDIR for > each domain. > --- > src/qemu/qemu_process.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c > index 55d00e3..986e8ee 100644 > --- a/src/qemu/qemu_process.c > +++ b/src/qemu/qemu_process.c > @@ -1,7 +1,7 @@ > /* > * qemu_process.h: QEMU process management > * > - * Copyright (C) 2006-2012 Red Hat, Inc. > + * Copyright (C) 2006-2013 Red Hat, Inc. > * > * This library is free software; you can redistribute it and/or > * modify it under the terms of the GNU Lesser General Public > @@ -3857,6 +3857,8 @@ int qemuProcessStart(virConnectPtr conn, > virCommandSetPidFile(cmd, priv->pidfile); > virCommandDaemonize(cmd); > virCommandRequireHandshake(cmd); > + virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb", > + driver->cacheDir, vm->def->name); > > ret = virCommandRun(cmd, NULL); > Thanks for taking a stab at this. The environment variable is actually called KRB5RCACHEDIR, and I don't think kerberos creates the directory for us. There's also KRB5RCACHENAME for pointing to a file path. What all this means is that someone should probably reproduce the bug first :) Thanks, Cole -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list