On 12/22/23 20:01, Stephen Lauck wrote: > Is there a way to use facl to specifically grant permission to all the > files/dirs that libvirt needs instead of using groups? > Libvirt itself does not set ACLs. BUT what you can do is suppress setting DAC/SELinux seclabels on files exposed to QEMU: https://libvirt.org/formatdomain.html#security-label You can set it either for whole domain (i.e. no paths will be labeled), or on an individual basis, e.g. for disks: <disk> <source file='/path/to/disk.qcow2'> <seclabel relabel='no'/> </source> </disk> and then set facls yourself. You can even do that when domain is about to be started - libvirt allows admins to run a bash script just before QEMU is launched - we call them hooks: https://libvirt.org/hooks.html Hook is fed with domain XML from which you can then obtain list of paths to set facls on. I'm not exactly sure how facl discussion ended (we've discussed that option a long time ago), but there were some difficulties: 1) facls require XATTRs, which are not always present (at least weren't back then), 2) restoring the original state is a bit tricky, though libvirt does have a mechanism to restore original DAC labels. Michal _______________________________________________ Users mailing list -- users@xxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxx
