From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Daniel P. Berrange" Subject: Re: [RFC][PATCH 00/01]qemu VM entrypoints Date: Fri, 20 Jul 2007 21:38:42 +0100 Message-ID: <20070720203842.GE12218@redhat.com> References: <20070720201101.GC12218@redhat.com> Reply-To: "Daniel P. Berrange" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: kvm-devel , David Windsor , Joshua Brindle , selinux To: James Morris Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kvm-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org Errors-To: kvm-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org List-Id: kvm.vger.kernel.org On Fri, Jul 20, 2007 at 04:30:22PM -0400, James Morris wrote: > On Fri, 20 Jul 2007, Daniel P. Berrange wrote: > > > It could be - if your put the policy at the control API layer instead of > > in QEMU itself. > > Then you can bypass MAC security by invoking qemu directly. Isn't that upto the policy - if its a targetted policy, then this is true of most apps where the local users can bypass MAC, since they're all in unconfined domains. I would have thought strict policy would prevent direct execution of qemu though ? Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/