On 16.02.2016 17:59, Daniel P. Berrange wrote: > On Mon, Feb 15, 2016 at 05:38:37PM +0100, Michal Privoznik wrote: >> Are you tired of remembering IP addresses for your domains? Do >> you have enough of configuring static IPs so that you can add >> them to your hosts file? Then libvirt NSS module is exactly what >> you need! >> >> NSS does a lot in a Linux host. These patches aim at translating >> domain names into IP addresses. All you need to do, is install >> libnss_libvirt.so.2 (e.g. via 'make install' ran from source >> dir), enable the module in nsswitch.conf: >> >> $ grep libvirt /etc/nsswitch.conf >> hosts: files dns libvirt >> >> and you're all set. Now you can just: >> >> $ ping $mydomain >> $ ssh user@$mydomain >> >> or anything you'd like. The only limitation is that it has to be >> libvirt who has assigned the domain IP address. The limitation >> comes from implementation in which >> '/var/lib/libvirt/dnsmasq/*.status' files are parsed when looking >> up a hostname. > > So the 'nss' modules are loaded by any process on the host > which does dns lookups. This in turns implies that any process > has to have permission to read the dnsmasq lease files directly. > I don't think this is very desirable, particularly from an > SELinux POV - I'm not convinced we want to grant every process > perm to read the virt_var_lib_t. Okay, I haven't thought of that. What if, *.status file under /var/lib/libvirt/dnsmasq would have virt_nss_var_lib_t and we have new selinux boolean. Anybody who could read virt_var_lib_t could read virt_nss_var_lib_t too. Moreover, if the boolean would be set, everybody else, who would be denied on virt_var_lib_t would be granted access on virt_nss_var_lib_t. > > I'm wondering if we shouldn't have a separate file(s) recording > the hostname/IP address mappings for the NSS module to read, > that we place somewhere dedicated to this purpose, so we can > grant permission to just the data NSS needs. I'd like to avoid that if possible. Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list