[RedHat 6.3] Allow virt-manager but not libvirt
We are trying to get a "secure" KVM-environment up and running, but keep hitting walls.
We don't want our users to be able to do what ever they want, and virt-manager is quite simple to modify (just python-scripts).
The users need to be able to run virt-manager without root, but not be able to create machines in a terminal.
Therefor i cannot use policykit-action org.libvirt.unix.policy and allow_any.
Is this even possible?
Is policykit the right way to go or do we need to look at selinux?
Thanks so much for all tips and pointers, i'm totaly stuck right now.
If your users are non-privileged then they only get read-only access anyway. You need to take graphical vs. text out of the equation and look at it a simple permissions - are they privileged or not?
I just did some testing, and even though our users are not privileged, they are able to run virt-install (and every other virt-command)
Is it possible to prevent users from running virt-commands?
I think polkit support is compiled in, you may be able to work around it by changing a few settings in /etc/libvirt/libvirtd.conf:
|All times are GMT -5. The time now is 11:14 PM.|