On Wed, Mar 24, 2010 at 06:20:38PM +0200, Avi Kivity wrote: > On 03/24/2010 06:17 PM, Joerg Roedel wrote: >> But is this not only one entity more for >> sVirt to handle? I would leave that decision to the sVirt developers. >> Does attaching the same label as for the VM resources mean that root >> could not access it anymore? >> > > IIUC processes run under a context, and there's a policy somewhere that > tells you which context can access which label (and with what > permissions). There was a server on the Internet once that gave you > root access and invited you to attack it. No idea if anyone succeeded > or not (I got bored after about a minute). > > So it depends on the policy. If you attach the same label, that means > all files with the same label have the same access permissions. I think. So if this is true we can introduce a 'trace' label and add all contexts that should be allowed to trace to it. But we probably should leave the details to the security experts ;-) Joerg -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
