similar to: Console access for a user.

As a Systems Administrator, I would like to grant permissions to a certain VM using unix groups. In this example there is a hypervisor with VMs A,B,C,D and there is a group called fortadmins. The solution I am searching forI would just allow fortadmins to use libvirt/virsh commands on VM D. Does libvirt/virsh provide any way to easily accomplish this goal? Regards, Jamie Ian Fargen

I read this page https://libvirt.org/aclpolkit.html And it is written :"At this point in time, the only attribute provided by libvirt to identify the user invoking the operation is the PID of the client program. This means that the polkit access control driver is only useful if connections to libvirt are restricted to its UNIX domain socket." 2018-05-09 11:00 GMT+03:00 Daniel P.

Hello! According to the documentation access control drivers are not in really "good condition". There is a polkit, but it can distinguish users only according the pid. However, I have met some articles about more fine-grained control and about selinux drivers for libvirt? So, what is the status now? Should I implement something by myself if I want access based on login, are their

Hi, Until today, I hadn't found a way to cleanly remove a KVM virtual machine through command line on CentOS 6 or 7! I had to run 'systemctl restart libvirtd' or 'service libvirtd restart' After several months (!!!), I found this thread: https://github.com/pradels/vagrant-libvirt/issues/107 Now, I know how to cleanly remove a KVM virtual machine (with default file location):

On Thu, 2017-02-02 at 07:16 -0800, Gordon Messmer wrote: > On 02/02/2017 06:51 AM, Leonard den Ottolander wrote: > > pkcheck might not be directly vulnerable. However, pkexec is. > > > If that's so, why are you supplying patches to pkcheck rather than > fixing pkexec? The patch has a fix for three memory leaks. One memory leak that allows heap spraying in pkexec.c that

Hi all I have a Fedora release 17 (Beefy Miracle) with libvirt versions: libvirt-0.9.11.3-1.fc17.x86_64 virt-manager-0.9.1-3.fc17.noarch I have allowed non-root user to user libvirt by allowing the user through polkit cat /etc/polkit-1/localauthority/50-local.d/cat 50-org.example-libvirt-remote-access.pkla [Remote libvirt SSH access] Identity=unix-group:virt

Hi All, I would like to input a .txt file by using read.table() the file data.txt: Name ID IMAGE:1000031 suid=115221 IMAGE:1000208 51265 IMAGE:1000334 64770 IMAGE:1000365 suid=99969 IMAGE:1000500 55421 IMAGE:1000875 64770 IMAGE:1000892 399655 IMAGE:1000942 suid=112379 IMAGE:1007141 5001 IMAGE:1007150 55 IMAGE:1007164 suid=117508 IMAGE:1007167 suid=102504

Thanks for the info. I am trying to connect to the Xen hypervisor, via a localhost connection defined in the virt-manager configuration. here is the detail provided in the error dialog: ????????? Unable to open a connection to the Xen hypervisor/daemon. Verify that: - A Xen host kernel was booted - The Xen service has been started internal error: DBus support not compiled into this

On Thursday, August 21, 2014 12:00:03 centos-request at centos.org wrote: > Re: [CentOS] SELinux vs. logwatch and virsh > From: Daniel J Walsh <dwalsh at redhat.com> > To: CentOS mailing list <centos at centos.org> > > On 08/18/2014 02:13 PM, Bill Gee wrote: > > Hi Dan - > > > > "ausearch -m avc -ts recent" produces no output. If I run it

Ok, excuse me for misunderstanding, how it is possible then to set up access control when I use remote connection to KVM ( not in UNIX domain)? Is there any way within libvirt, maybe based on authentication or certificates? 2018-05-09 11:14 GMT+03:00 Daniel P. Berrangé <berrange@redhat.com>: > On Wed, May 09, 2018 at 11:13:01AM +0300, Anastasiya Ruzhanskaya wrote: > > I read this

Dear all, I have a code where I subset a data frame to match entries within levels of an factor (actually, the full script uses three difference factors do do that). I'm very happy with the precision with which I can work with R, but since I loop over factor levels, and the data frame is big, the process is slow. So I've been trying to speed up the process using by(), but I got stuck at

The attached patch adds an option --drop-suid which caused rsync to drop setuid/setgid permissions from the destination files. ie, even if the source file is setuid, the target file will not be. Added as we want to rsync the same files to machines both inside and outside our firewalls. For machines inside the firewall some files should be suid, for machines outside the firewalls they should

I recently began getting periodic emails from SEalert that SELinux is preventing /usr/libexec/qemu-kvm "getattr" access from the directory I store all my virtual machines for KVM. All VMs are stored under /vmstore , which is it's own mount point, and every file and folder under /vmstore currently has the correct context that was set by doing the following: semanage fcontext -a -t

I installed lighttpd from ports on my FreeBSD-5 system last night, wanting to play with that instead of WEBrick for development work. I installed it, and ran script/server, and got this: [minter@carlton discostu]$ script/server => Booting lighttpd (use ''script/server webrick'' to force WEBrick) => Rails application started on http://0.0.0.0:3000 => Call with -d to

What are you using for the database - SQLite? I am using mysql (mariadb). I am not familiar with SQLlite. Can you access the database from the console - look up the list of tables - display the contents from a table? Anything to see if your SQLite is working and has asterisk data in it. From your Asterisk console, |CLI> core show help database| should give you a list of commands that you

Hi, Recently once again an exploit for SuperProbe was posted to the bugtraq. That message was forwarded to linux-security and Rogier Wolff rejected it on the basis of the author of the SuperProbe (David Wexelblatt) comment that it was never intended to be suid. In general, there is absolutely no reason for programs that are supposed to be run only by root to be suid to root! If your

Hey, i am running an unusual setup where i assign pci devices behind the back of libvirt. I have two options to do that: 1. a wrapper script for qemu that takes care of suid-root and appends arguments for pci-assign 2. virsh qemu-monitor-command ... 'device_add pci-assign...' I know i should probably not be doing this, it is a workaround to introduce fine-grained pci-assignment in an

I'm stuck on a problem with rsync... We've got a chrooted shell with rsync and all the needed libs inside (and not much else). We're using rsync over ssh to send the files into this chrooted session. The rsync binary in the chrooted session is SUID root so that it can create the files with the correct UID/GID. When the following is run, it creates all the files as root.staff, not

Hello. In the Samba by Example book theres a section called "Effect of Setting File and Directory SUID/SGID Permissions Explained", that shows an example of the effect of SUID/SGID bits. The SGID bit when setted in directories makes the files inherit the group owner, but I couldn't make the SUID bit on directories work, making files inherit the owner. The

Hi all, I'm in the process of building a * box for home and ran across the vmail.cgi script. It installs suid root in order to allow access to the voice mail boxes. I've never been fond of suid root and was looking for a better method. I've patched my installation to make everything in the vm hierarchy (/var/ spool/asterisk/voicemail/*) setgid www to match the group of my