From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: "Richard W.M. Jones" <rjones@redhat.com>,
Yumei Huang <yuhuang@redhat.com>,
passt-dev@passt.top, david@gibson.dropbear.id.au
Subject: Re: [PATCH] test: Update README.md
Date: Wed, 24 Sep 2025 12:20:03 +0100 [thread overview]
Message-ID: <aNPT475lQy6yt7qS@redhat.com> (raw)
In-Reply-To: <20250924130553.673cc9c0@elisabeth>
On Wed, Sep 24, 2025 at 01:05:53PM +0200, Stefano Brivio wrote:
> On Wed, 24 Sep 2025 11:31:31 +0100
> "Richard W.M. Jones" <rjones@redhat.com> wrote:
>
> > On Wed, Sep 24, 2025 at 11:09:09AM +0200, Stefano Brivio wrote:
> > > And now that you say that, I just realised that it would be as simple
> > > as:
> > >
> > > https://libguestfs.org/guestfs-faq.1.html#permission-denied-when-running-libguestfs-as-root
> > >
> > > LIBGUESTFS_BACKEND=direct virt-edit...
> >
> > While that will indeed work, we're trying to discourage people from
> > doing that, since it removes the other good things that libvirt does,
> > such as setting up SELinux.
>
> Oh, I see. I guess it makes sense, with a number of caveats:
>
> 1. libvirt's SELinux policy doesn't seem to be really maintainable /
> long-term sustainable to me, especially because it's still part of
> fedora-selinux
Well it isn't ideal that Fedora policy is largely centralized, but
it has been maintained it since 2007, so claiming it is not long
term sustainable is just FUD.
> 2. it adds a rather artificial dependency on libvirt, so in the end
> you're running more things, and more complicated ones, even if it's
> not needed
Libvirt provides a stable interface to interacting with QEMU
over decades. QEMU's own interface is only guaranteed stable
over 2 releases. As QEMU changes its interface and/or best
practice configuration approach, libvirt adapts to this so
every app doesn't have to repeat this work.
> 3. the profile is still much looser than what a libguestfs specific
> profile could be, see for example the AppArmor policy I introduced
> at:
>
> https://salsa.debian.org/libvirt-team/guestfs-tools/-/commit/e638b1bcb8a6621d0b61907f9269a2506680684f
>
> which, despite being rather loose, is still arguably much stricter
> than this beast (and related add-ons):
>
> https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/usr.sbin.libvirtd.in
>
> and I think a strict subset of it, as well.
This is the policy for the libvirt daemon, which is separate from the
policy that the QEMU guest runs under - the latter is constrained to
limit access to resources configured for the guest VM.
The libvirt daemon policy needs to be loose by default, since users
want libvirt to be able to access a wide range of files and resources.
This same need applies to guestfish - it needs to access arbitrarily
specified disk images, so would need a very loose policy. Only the
spawned QEMU could be confined strictly, and that would be equiv to
what is already done with libvirt's policy for QEMU.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2025-09-24 11:20 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-19 1:43 Yumei Huang
2025-09-19 5:00 ` David Gibson
2025-09-19 9:58 ` Stefano Brivio
2025-09-22 3:03 ` Yumei Huang
2025-09-22 20:03 ` Stefano Brivio
2025-09-23 6:36 ` Yumei Huang
2025-09-23 7:16 ` Yumei Huang
2025-09-23 10:32 ` Stefano Brivio
2025-09-24 1:58 ` David Gibson
2025-09-24 1:58 ` Yumei Huang
2025-09-24 3:44 ` David Gibson
2025-09-24 4:02 ` Yumei Huang
2025-09-24 8:46 ` Stefano Brivio
2025-09-24 8:56 ` Richard W.M. Jones
2025-09-24 9:09 ` Stefano Brivio
2025-09-24 10:31 ` Richard W.M. Jones
2025-09-24 11:00 ` Daniel P. Berrangé
2025-09-25 9:21 ` Richard W.M. Jones
2025-09-24 11:05 ` Stefano Brivio
2025-09-24 11:20 ` Daniel P. Berrangé [this message]
2025-09-24 11:48 ` Stefano Brivio
2025-09-25 5:16 ` Yumei Huang
2025-09-23 7:49 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aNPT475lQy6yt7qS@redhat.com \
--to=berrange@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=rjones@redhat.com \
--cc=sbrivio@redhat.com \
--cc=yuhuang@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).