Thank you for the answer!
Yes, I use TLS when want to have encryption, tcp just for testing purpose.
I am building my proxy for filtering traffic between two machines in virt-manager. Decryption of tls with, for example mitmproxy, is easy.  But when user will choose sasl with default mechanism (gssapi) 
- it becomes harder to decrypt. Where should I look to find out how libvirt does this decryption when sasl is used?

чт, 22 нояб. 2018 г. в 12:31, Jiri Denemark <jdenemar@redhat.com>:
On Thu, Nov 22, 2018 at 09:58:41 +0300, Anastasiya Ruzhanskaya wrote:
> Hello!
> I was investigating libvirt a year ago regarding it's remote control. I
> figured out necessary settings for configuring remote control in ubuntu
> (setting flags in libvirt setting files). Now I have several questions:
>
> 1) Are these flags the same for Centos?
> They did not worked for me.
> My flags for ubuntu are (for tcp for example):
>
> /etc/libvirt/libvirtd.conf : listen_tls = 0, listen_tcp = 1, listen_addr =
> "0.0.0.0 " auth_-
> tcp = "none "

These configuration options are the same in all distros. But, listening
on TCP without any encryption and authentication is very dangerous and
it should not be used. A connection to system libvirtd is equivalent to
having a root account and I believe you don't want to provide root
access to anyone connecting to an open TCP port, do you? See
https://libvirt.org/remote.html for more details about remote access.

> /etc/init/libvirt-bin.conf: add -l (listen) : env libvirtd_opts = d -l"
> /etc/default/libvirt-bin add -l : libvirtd_opts = d -l"

This is different in CentOS. You need to edit /etc/sysconfig/libvirtd
file and uncomment LIBVIRTD_ARGS="--listen".

> 2) Can the remote control be configured along with local on one machine?

Yes, local access via UNIX sockets is always enabled. That is, enabling
remote access as described above will allow you to connect to libvirtd
both locally and remotely.

Jirka