On Wed, May 09, 2018 at 10:00:19AM +0100, Daniel P. Berrangé wrote: > On Wed, May 09, 2018 at 11:50:33AM +0300, Anastasiya Ruzhanskaya wrote: > > Here https://libvirt.org/acl.html is stated that you designed this access > > control system as pluggable. Are there any options ( even with modifying > > libvirt code) to plug in any custom driver? > > I just need to take a try and design something that will support remote > > access control. > > I am not sure if sVirt is the right thing I should look at. > > It is pluggable in the sense that we can write more backends for it > without having to refactor the rest of libvirt codebase. It isn't > pluggable from POV of an end user wishing to change it - it needs > contribution to libvirt code to add more options. > > I did look at creating an SELinux plugin many years ago, but the > number of new SELinux AVs to be defined was huge and I wasn't sure > the complexity of policy would be practical to handle in real world. > Also, SELinux with TCP adds an extra level of complexity as you now > need to figure out IPSec setup to pass SELinux labels across the > network from the client. > > Probably what we would more usefully add is a simple RBAC based > module natively in libvirt. I forgot to say that if you want to look at writing a new impl the code is kept in $GIT/src/access/. The current polkit impl is viraccessdriverpolkit.c. Implementing a new driver involves creating a new source file with a virAccessDriver struct that contains pointers to the methods that implement the desired logic. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
