LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-24-2013, 05:17 AM   #1
RuZleBiFf
LQ Newbie
 
Registered: Jan 2013
Posts: 10

Rep: Reputation: Disabled
[RedHat 6.3] Allow virt-manager but not libvirt


Hello,

We are trying to get a "secure" KVM-environment up and running, but keep hitting walls.
We don't want our users to be able to do what ever they want, and virt-manager is quite simple to modify (just python-scripts).
The users need to be able to run virt-manager without root, but not be able to create machines in a terminal.
Therefor i cannot use policykit-action org.libvirt.unix.policy and allow_any.

Is this even possible?
Is policykit the right way to go or do we need to look at selinux?

Thanks so much for all tips and pointers, i'm totaly stuck right now.


Best Regards,
Sindre
 
Old 01-28-2013, 05:35 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
If your users are non-privileged then they only get read-only access anyway. You need to take graphical vs. text out of the equation and look at it a simple permissions - are they privileged or not?
 
Old 01-30-2013, 06:47 AM   #3
RuZleBiFf
LQ Newbie
 
Registered: Jan 2013
Posts: 10

Original Poster
Rep: Reputation: Disabled
Hi again.

I just did some testing, and even though our users are not privileged, they are able to run virt-install (and every other virt-command)
Is it possible to prevent users from running virt-commands?
 
Old 01-30-2013, 05:21 PM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
I think polkit support is compiled in, you may be able to work around it by changing a few settings in /etc/libvirt/libvirtd.conf:

Code:
unix_sock_group = somegroup #pick a group that users will need to be a member of to have R/W access
unix_sock_rw_perms = "0770"
auth_unix_rw = "none"
I haven't tested this but the directives are commented in the file so you should be able to work it out.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Set tap device in libvirt xml for virt-manager? davelowndes Linux - Virtualization and Cloud 2 11-04-2010 03:20 AM
how to work with virt-manager using redhat iguimar Linux - Virtualization and Cloud 3 07-15-2010 08:49 AM
LXer: Hacking libvirt/virsh/virt-manager/virt-install at Xen 4.0 Dom0 on top of Ubunt LXer Syndicated Linux News 0 05-06-2010 02:50 PM
LXer: Virt-install&Virt-manager at Xen 4.0-rc8 (2.6.32.10 pvops) Dom0 on top Ubuntu K LXer Syndicated Linux News 0 03-26-2010 09:41 PM
"libvirt.libvirtError: virDomainCreateLinux() failed" when virt-install sailer_sh Red Hat 0 06-15-2007 02:29 AM


All times are GMT -5. The time now is 10:41 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration