The last intentional use of /tmp by libvirt was patched in commit bd6083c9b; we can add an extra measure of security by explicitly requesting that libvirtd's /tmp is not visible to arbitrary users. See https://bugzilla.redhat.com/782474
* daemon/libvirtd.service.in (Service): Enable PrivateTmp. --- daemon/libvirtd.service.in | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/daemon/libvirtd.service.in b/daemon/libvirtd.service.in index 8f2458a..cf68440 100644 --- a/daemon/libvirtd.service.in +++ b/daemon/libvirtd.service.in @@ -17,6 +17,7 @@ ExecStart=@sbindir@/libvirtd $LIBVIRTD_ARGS ExecReload=/bin/kill -HUP $MAINPID # Override the maximum number of opened files #LimitNOFILE=2048 +PrivateTmp=true [Install] WantedBy=multi-user.target -- 1.7.7.6 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
