From: Anthony Liguori <anthony@codemonkey.ws>
To: Alexander Graf <agraf@suse.de>
Cc: Paul Moore <pmoore@redhat.com>,
qemu-devel Developers <qemu-devel@nongnu.org>,
Roman Drahtmueller <draht@suse.de>
Subject: Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode
Date: Tue, 05 Jun 2012 09:03:13 +0800 [thread overview]
Message-ID: <4FCD5AD1.9080406@codemonkey.ws> (raw)
In-Reply-To: <A4BD8D9E-1176-4AA9-8468-39E8E1DD42A8@suse.de>
On 06/05/2012 08:55 AM, Alexander Graf wrote:
>
> On 05.06.2012, at 01:54, Anthony Liguori wrote:
>
>> Have you ever experienced a random failure on an SELinux box that made no logical sense? Out of desperation, you setenforce 0 and magically, thinks work again.
>
> Yeah - I never understood how anyone thought it makes sense to enable SELinux globally be default.... Either way, FIPS hopefully isn't something you find enabled by accident anywhere.
>
>> Even if the user enabled fips mode, they may not understand that this means VNC authentication will stop working. Providing an option (1) allows the user to discover what the problem is (2) makes the behavior much more clear.
>
> Where would you want the option to live? Compile time would be useless - users don't recompile QEMU, they take binary packages. A runtime option? Who would enable that runtime option then? Libvirt by default I suppose? So you're back in the same hell. RH would patch libvirt to always pass in -enable-fips and nothing would be different.
A QemuOpts option that is disabled by default but can be enabled through
/etc/qemu/target-x86_64.conf
If any distribution wants to enable it as part of the default configuration,
they certainly can. But a user can override it if they want to.
Likewise, libvirt can enable it by default if they are so inclined. At least
the qemu logs from libvirt will show -enable-fips-mode
>
>> Removing features based on a magic procfs variable with no input from the user is a bad idea IMHO.
>
> But it's the design of the Linux FIPS model.
Just because someone made a bad choice, that doesn't mean we have to continue to
make bad choices ourselves.
This whole feature is ridiculous from a technical perspective. As you said,
disabling VNC auth but allowing no-password to be used is simply moronic.
I understand why we have to support these things, but it should not be the
default behavior.
Regards,
Anthony Liguori
next prev parent reply other threads:[~2012-06-05 1:03 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-02 19:32 [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode Paul Moore
2012-05-03 8:29 ` Daniel P. Berrange
2012-05-03 8:51 ` Alexander Graf
2012-05-03 8:57 ` Daniel P. Berrange
2012-05-03 9:01 ` Alexander Graf
2012-05-03 9:03 ` Daniel P. Berrange
2012-05-03 9:06 ` Alexander Graf
2012-05-03 9:09 ` Daniel P. Berrange
2012-05-03 9:11 ` Alexander Graf
2012-05-03 20:58 ` Paul Moore
2012-05-03 9:04 ` Alexander Graf
2012-05-03 20:51 ` Paul Moore
2012-05-03 14:54 ` Alexander Graf
2012-05-03 20:54 ` Paul Moore
2012-05-04 2:01 ` Roman Drahtmueller
2012-05-04 12:39 ` Paul Moore
2012-05-04 12:42 ` Daniel P. Berrange
2012-06-03 0:55 ` Anthony Liguori
2012-06-04 18:16 ` Paul Moore
2012-06-04 23:11 ` Anthony Liguori
2012-06-04 23:17 ` Alexander Graf
2012-06-04 23:54 ` Anthony Liguori
2012-06-05 0:55 ` Alexander Graf
2012-06-05 1:03 ` Anthony Liguori [this message]
2012-06-05 1:08 ` Alexander Graf
2012-06-05 1:23 ` Anthony Liguori
2012-06-05 1:29 ` Alexander Graf
2012-06-05 7:23 ` Gerd Hoffmann
2012-06-05 21:45 ` Paul Moore
2012-06-05 21:51 ` Alexander Graf
2012-06-05 22:06 ` Paul Moore
2012-06-05 23:07 ` Anthony Liguori
2012-06-05 23:56 ` Alexander Graf
2012-06-06 22:56 ` Paul Moore
2012-06-07 3:10 ` Anthony Liguori
2012-06-07 10:31 ` Alexander Graf
2012-06-07 13:21 ` Paul Moore
2012-06-08 21:37 ` Paul Moore
2012-06-11 13:33 ` Roman Drahtmueller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FCD5AD1.9080406@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=agraf@suse.de \
--cc=draht@suse.de \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).