Re: Libvirt permissions using facl instead of groups

On 12/22/23 20:01, Stephen Lauck wrote: Libvirt itself does not set ACLs. BUT what you can do is suppress setting DAC/SELinux seclabels on files exposed to QEMU: https://libvirt.org/formatdomain.html#security-label You can set it either for whole domain (i.e. no paths will be labeled), or on an individual basis, e.g. for disks: <disk> <source file='/path/to/disk.qcow2'> <seclabel relabel='no'/> </source> </disk> and then set facls yourself. You can even do that when domain is about to be started - libvirt allows admins to run a bash script just before QEMU is launched - we call them hooks: https://libvirt.org/hooks.html Hook is fed with domain XML from which you can then obtain list of paths to set facls on. I'm not exactly sure how facl discussion ended (we've discussed that option a long time ago), but there were some difficulties: 1) facls require XATTRs, which are not always present (at least weren't back then), 2) restoring the original state is a bit tricky, though libvirt does have a mechanism to restore original DAC labels. Michal