Re: [PATCH] qemu: don't share kerberos caches between domains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/24/2013 07:05 PM, Eric Blake wrote:
> On 01/24/2013 03:53 PM, Cole Robinson wrote:
>> On 01/23/2013 08:26 PM, Eric Blake wrote:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=718377
>>> complains that there were some SELinux AVCs when using vnc console
>>> over Kerberos.  The root problem was that Kerberos tries to set up
>>> a cache file, and if we don't tell it where, then all domains use
>>> the same cache file, which violates sVirt protections.  Setting the
>>> environment variable unconditionally should be safe, even for setups
>>> where Kerboros won't actually create a cache file.
>>>
> 
>>> +    virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb",
>>> +                           driver->cacheDir, vm->def->name);
>>>
>>>      ret = virCommandRun(cmd, NULL);
>>>
>>
>> Thanks for taking a stab at this. The environment variable is actually called
>> KRB5RCACHEDIR, and I don't think kerberos creates the directory for us.
>> There's also KRB5RCACHENAME for pointing to a file path.
> 
> Good thing I haven't pushed yet.  Where is this documented, so that I
> can fix my patch to match Kerberos expectations?
> 

I just looked at the krb5 code.

>>
>> What all this means is that someone should probably reproduce the bug first :)
> 
> Unfortunately, I've got a huge learning curve ahead of me if I'm going
> to reproduce it (I was just implementing what looked like an easy fix
> based on the bugzilla content).
> 

Same reason why I never tested it and submitted the obvious patch :)

- Cole

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]