From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1MOb6Y-00005T-T8
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 13:38:50 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1MOb6T-0008WH-M0
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 13:38:49 -0400
Received: from [199.232.76.173] (port=55823 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1MOb6T-0008WE-Hj
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 13:38:45 -0400
Received: from cerberus.snarc.org ([212.85.155.21]:41004)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <tab@snarc.org>) id 1MOb6Q-0005Nm-Rt
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 13:38:43 -0400
Date: Wed, 8 Jul 2009 18:48:29 +0100
From: Vincent Hanquez <tab@snarc.org>
Subject: Re: [Qemu-devel] [PATCH 0/5] ATAPI pass through v2
Message-ID: <20090708174829.GA7078@snarc.org>
References: <200907011931.53521.alexandre.bique@citrix.com>
	<20090707200327.GA3902@miranda.arrow>
	<4A53D2FD.4040004@codemonkey.ws>
	<5d3bb3090907071421i506a2f0bh5aca170c35a26f62@mail.gmail.com>
	<200907072344.33893.paul@codesourcery.com>
	<5d3bb3090907071550s6e832c45k804bca769aa57f70@mail.gmail.com>
	<4A53D3B1.2020903@codemonkey.ws>
	<19028.50372.333318.144669@mariner.uk.xensource.com>
	<4A54D57B.8080603@codemonkey.ws>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4A54D57B.8080603@codemonkey.ws>
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>, Paul Brook <paul@codesourcery.com>, Alexandre Bique <bique.alexandre@gmail.com>, qemu-devel@nongnu.org

On Wed, Jul 08, 2009 at 12:20:59PM -0500, Anthony Liguori wrote:
>>> I'm sure something like SELinux can be used to prevent a root QEMU  
>>> process from doing a firmware upgrade.
>>>     
>>
>> *boggle*  You're not serious, are you ?
>>   
>
> Yes, I'm actually a fan of SELinux in the context of a dedicated  
> virtualization system.

do you really expect to put a SCSI packet inspector (to detect firmware update
for example) in a SELinux layer ?

-- 
Vincent