On 01/24/2013 07:05 PM, Eric Blake wrote: > On 01/24/2013 03:53 PM, Cole Robinson wrote: >> On 01/23/2013 08:26 PM, Eric Blake wrote: >>> https://bugzilla.redhat.com/show_bug.cgi?id=718377 >>> complains that there were some SELinux AVCs when using vnc console >>> over Kerberos. The root problem was that Kerberos tries to set up >>> a cache file, and if we don't tell it where, then all domains use >>> the same cache file, which violates sVirt protections. Setting the >>> environment variable unconditionally should be safe, even for setups >>> where Kerboros won't actually create a cache file. >>> > >>> + virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb", >>> + driver->cacheDir, vm->def->name); >>> >>> ret = virCommandRun(cmd, NULL); >>> >> >> Thanks for taking a stab at this. The environment variable is actually called >> KRB5RCACHEDIR, and I don't think kerberos creates the directory for us. >> There's also KRB5RCACHENAME for pointing to a file path. > > Good thing I haven't pushed yet. Where is this documented, so that I > can fix my patch to match Kerberos expectations? > I just looked at the krb5 code. >> >> What all this means is that someone should probably reproduce the bug first :) > > Unfortunately, I've got a huge learning curve ahead of me if I'm going > to reproduce it (I was just implementing what looked like an easy fix > based on the bugzilla content). > Same reason why I never tested it and submitted the obvious patch :) - Cole -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list