On Fri, Feb 07, 2014 at 11:22:12AM -0700, Eric Blake wrote: > On 02/07/2014 08:33 AM, Daniel P. Berrange wrote: > My overall thoughts: > > If we had a way to do _just_ the mknod, then open the file, and pass the > fd back to the parent, then do labeling on the fd from the parent > context (rather than on the path in the child context), it would make > for a smaller child action easier to audit. But I'm not sure that would > get the labeling right - it looks like we have to label the actual path > name in the child. Or even if selinux took a leaf from openat() and > friends, and gave us the ability to do actions on a name relative to an > fd, then all we'd need to do is fork, change namespace, open the fd of > the container directory, pass that back, then do the remaining options > in the parent, where life is much easier. The FD passing idea is interesting. I think I will explore that idea further to see if it is viable before we finalize this. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list