From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1N63bS-0001g5-HN
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 09:46:22 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1N63bN-0001dQ-QL
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 09:46:22 -0500
Received: from [199.232.76.173] (port=52706 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1N63bN-0001dA-F2
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 09:46:17 -0500
Received: from mx1.redhat.com ([209.132.183.28]:28066)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <berrange@redhat.com>) id 1N63bM-00006a-Uo
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 09:46:17 -0500
Date: Thu, 5 Nov 2009 14:46:08 +0000
From: "Daniel P. Berrange" <berrange@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support
	for	qemu
Message-ID: <20091105144608.GB689@redhat.com>
References: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com>
	<4AF2E247.3090409@redhat.com> <4AF2E2E3.1030600@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4AF2E2E3.1030600@redhat.com>
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Avi Kivity <avi@redhat.com>
Cc: Mark McLoughlin <markmc@redhat.com>, Anthony Liguori <aliguori@us.ibm.com>, Arnd Bergmann <arndbergmann@googlemail.com>, Juan Quintela <quintela@redhat.com>, Dustin Kirkland <kirkland@canonical.com>, qemu-devel@nongnu.org, Michael Tsirkin <mst@redhat.com>

On Thu, Nov 05, 2009 at 04:36:19PM +0200, Avi Kivity wrote:
> On 11/05/2009 04:33 PM, Avi Kivity wrote:
> >and concerned that we're loosening security for qemu non-users.
> >
> 
> I see you've addressed this via an acl system.  Still, this is IMO 
> should be outside qemu, esp. as security is now much more than 
> users/groups (i.e. selinux and friends).

IMHO this needs to hook into PolicyKit, since that is the access control
framework that is being standardized on across the desktop. It is quite
easy to work with - all you need do is provide a policy file, and to
authorize a user, you'd run the 'pkcheck' program and its exit status
gives the result. 

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|