On Mon, 2011-06-06 at 15:41 +0100, Daniel P. Berrange wrote:
What follows is a document outlining some thoughts I've been
having
on extending sVirt to allow confinement of applications which talk
to libvirtd on the host, primarily focusing on use of SELinux, but
also allowing a simple non-SElinux RBAC mechanism.
Are we reinventing a lot of PolicyKit? I don't think policykit does a
good job of using SELinux but it does attempt to solve most of the same
problem you are attempting to solve here. I just want to make sure it
was looked at, even if I like the approach you are taking here more...
-Eric