openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #15833
Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
I have to ask. Wasn't FUSE designed to do alot of this stuff? It is
userspace and it doesn't do nasty stuff to file systems. Why aren't we
going that route?
-Matt
On Tue, Aug 14, 2012 at 11:05 AM, Richard W.M. Jones <rich@xxxxxxxxxxx>wrote:
> On Wed, Aug 08, 2012 at 11:08:48AM +0100, Daniel P. Berrange wrote:
> > Also note that current work is being done to make libguestfs use
> > libvirt to launch its appliance VMs, at which point libguestfs VMs
> > will be strongly confined by sVirt (SELinux/AppArmour), and also
> > able to run as a separate user ID.
>
> Thanks for the advert Dan :-)
>
> If you've got libguestfs >= 1.19.25, then you can in fact already use
> libvirt to manage the appliance. You just need to set the environment
> variable LIBGUESTFS_ATTACH_METHOD=libvirt before running the
> libguestfs-using tool.
>
> SELinux confinement is nearly working too. I'm just waiting on a
> change to the SELinux policy before it's done.
>
> Fedora 18 will have all the necessary bits.
>
> Rich.
>
> --
> Richard Jones
> Red Hat
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
Follow ups
References