On 12/22/23 20:01, Stephen Lauck wrote:
Is there a way to use facl to specifically grant permission to all
the
files/dirs that libvirt needs instead of using groups?
Libvirt itself does not set ACLs. BUT what you can do is suppress
setting DAC/SELinux seclabels on files exposed to QEMU:
https://libvirt.org/formatdomain.html#security-label
You can set it either for whole domain (i.e. no paths will be labeled),
or on an individual basis, e.g. for disks:
<disk>
<source file='/path/to/disk.qcow2'>
<seclabel relabel='no'/>
</source>
</disk>
and then set facls yourself. You can even do that when domain is about
to be started - libvirt allows admins to run a bash script just before
QEMU is launched - we call them hooks:
https://libvirt.org/hooks.html
Hook is fed with domain XML from which you can then obtain list of paths
to set facls on.
I'm not exactly sure how facl discussion ended (we've discussed that
option a long time ago), but there were some difficulties:
1) facls require XATTRs, which are not always present (at least weren't
back then),
2) restoring the original state is a bit tricky, though libvirt does
have a mechanism to restore original DAC labels.
Michal