Re: Libvirt access control drivers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, May 09, 2018 at 09:46:28AM +0300, Anastasiya Ruzhanskaya wrote:
> Hello!
> According to the documentation access control drivers are not in really
> "good condition". There is a polkit, but it can distinguish users only
> according the pid. However, I have met some articles about more
> fine-grained control and about selinux drivers for libvirt? So, what is the
> status now? Should I implement something by myself if I want access based
> on login, are their instructions how to write these drivers or there is
> smth already?

The polkit access control driver is the only one we support, and it is not
something that end users can replace as this is not a public plugin system.
Any alternate impl would have to be part of libvirt core.

I'm not sure what docs you are referring to, but the polkit driver is in
perfectly good condition. It is not restricted to just checking PIDs,
in fact PID is largely irrelevant - user name and group membership are
the important things to check. Ther is an example in the source tree at
examples/polkit/libvirt-acl.rules showing a simple RBAC approach to using
polkit.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users



[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux