Re: Libvirt permissions using facl instead of groups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 12/22/23 20:01, Stephen Lauck wrote:
> Is there a way to use facl to specifically grant permission to all the
> files/dirs that libvirt needs instead of using groups? 

Libvirt itself does not set ACLs. BUT what you can do is suppress
setting DAC/SELinux seclabels on files exposed to QEMU:

You can set it either for whole domain (i.e. no paths will be labeled),
or on an individual basis, e.g. for disks:

    <source file='/path/to/disk.qcow2'>
      <seclabel relabel='no'/>

and then set facls yourself. You can even do that when domain is about
to be started - libvirt allows admins to run a bash script just before
QEMU is launched - we call them hooks:

Hook is fed with domain XML from which you can then obtain list of paths
to set facls on.

I'm not exactly sure how facl discussion ended (we've discussed that
option a long time ago), but there were some difficulties:

1) facls require XATTRs, which are not always present (at least weren't
back then),
2) restoring the original state is a bit tricky, though libvirt does
have a mechanism to restore original DAC labels.

Users mailing list -- users@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxx

[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux