On Fri, Jul 20, 2007 at 04:30:22PM -0400, James Morris wrote: > On Fri, 20 Jul 2007, Daniel P. Berrange wrote: > > > It could be - if your put the policy at the control API layer instead of > > in QEMU itself. > > Then you can bypass MAC security by invoking qemu directly.
Isn't that upto the policy - if its a targetted policy, then this is true of most apps where the local users can bypass MAC, since they're all in unconfined domains. I would have thought strict policy would prevent direct execution of qemu though ? Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ kvm-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/kvm-devel
