Re: [PATCH RFC 1/3] security_dac: Remember owner prior chown() and restore on relabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Feb 26, 2013 at 05:08:40PM +0100, Michal Privoznik wrote:
> Currently, if we label a file to match qemu process DAC label, we
> do not store the original owner anywhere. So when relabeling
> back, the only option we have is to relabel to root:root
> which is obviously wrong.
> 
> However, bare remembering is not enough. We need to keep track of
> how many times we labeled a file so only the last restore
> chown()-s file back to the original owner.

Your patches don't deal with this scenario correctly I'm afraid.
A shared file may be on NFS, so simply ref-counting inside
libvirtd doesn't cut it. We need a ref count visible to all
libvirtd instances that can see the file.  My thought is that
we ought to make use of an extended attribute for recording
the ref count and original ownership.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]