← Back to team overview

openstack team mailing list archive

Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)

 

On Wed, Aug 08, 2012 at 11:08:48AM +0100, Daniel P. Berrange wrote:
> Also note that current work is being done to make libguestfs use
> libvirt to launch its appliance VMs, at which point libguestfs VMs
> will be strongly confined by sVirt (SELinux/AppArmour), and also
> able to run as a separate user ID.

Thanks for the advert Dan :-)

If you've got libguestfs >= 1.19.25, then you can in fact already use
libvirt to manage the appliance.  You just need to set the environment
variable LIBGUESTFS_ATTACH_METHOD=libvirt before running the
libguestfs-using tool.

SELinux confinement is nearly working too.  I'm just waiting on a
change to the SELinux policy before it's done.

Fedora 18 will have all the necessary bits.

Rich.

-- 
Richard Jones
Red Hat


Follow ups

References