On 27/11/2017 10:40, Daniel P. Berrange wrote:
> 
> If we had one daemon per QEMU, then we would give the daemon the same
> MCS label as QEMU. The kernel will thus enforce this label matches the
> label on the QEMU process when it connects to the UNIX socket. The kernel
> will also validate the label on the disk file descriptor passed to the
> daemon by QEMU.
> 
> If we had one daemon per host, then that daemon will need a generic
> label that lets all QEMUs connect to it. When QEMU passes in a disk
> FD, the daemon will need to query the SELinux context of the remote
> QEMU process, and then perform a userspace ACL check of that against
> the FD that is passed in.
> 
> The latter case means the QEMU helper will need to link to libselinux
> and performs checks itself.

Then it seems much better to use one daemon per QEMU, indeed.

Paolo

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to