On Wed, May 09, 2018 at 09:46:28AM +0300, Anastasiya Ruzhanskaya wrote: > Hello! > According to the documentation access control drivers are not in really > "good condition". There is a polkit, but it can distinguish users only > according the pid. However, I have met some articles about more > fine-grained control and about selinux drivers for libvirt? So, what is the > status now? Should I implement something by myself if I want access based > on login, are their instructions how to write these drivers or there is > smth already? The polkit access control driver is the only one we support, and it is not something that end users can replace as this is not a public plugin system. Any alternate impl would have to be part of libvirt core. I'm not sure what docs you are referring to, but the polkit driver is in perfectly good condition. It is not restricted to just checking PIDs, in fact PID is largely irrelevant - user name and group membership are the important things to check. Ther is an example in the source tree at examples/polkit/libvirt-acl.rules showing a simple RBAC approach to using polkit. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
