Daniel summarized my approach nicely. Basically I'm looking at enabling multi-tenancy administration where several admins can exist but they can only see and/or manipulate with resources (VMs, storage, networks) assigned to them. By making use of a generic AC-module approach where actions gets passed through arbitrary complex access control can be enforced since the AC-module could implement/interface different schemes of granting/denying access depending on what enforcing policy wants to be used. One could for example use SELinux as a scheme to enable RBAC and/or tie it together with policies for sVirt. An initial implementation step would be realizing the AC-module foundation and starting with moving out the RW/RO enforcement (currently residing within libvirt.c) as first basic enforcement scheme. Freundliche Grüsse / Best regards <div align=right> </div> <table width=100%> <tr valign=top> <td width=67% bgcolor=#4477bb>Konrad Eriksson Research Software Engineer Trusted Computing / Security & Assurance Email: <a href=mailto:kon@zurich.ibm.com>kon@zurich.ibm.com</a> Phone: +41 (0)44 724 84 28 <td width=32% bgcolor=#4477bb><img src=cid:_1_077CF8CC077CF4CC00429ADFC1257540> IBM Zurich Research Laboratory Saeumerstrasse 4 8803 Rueschlikon Switzerland </table> <table width=100%> <tr valign=top> <td>From: <td>"Daniel P. Berrange" <berrange@redhat.com> <tr valign=top> <td>To: <td>Atsushi SAKAI <sakaia@jp.fujitsu.com> <tr> <td valign=top>Cc: <td>Konrad Eriksson1 <KON@zurich.ibm.com>, libvir-list@redhat.com <tr valign=top> <td>Date: <td>01/16/2009 10:57 AM <tr valign=top> <td>Subject: <td>Re: [libvirt] Fine grained Access Control in libVirt</table> <hr noshade> <tt>On Fri, Jan 16, 2009 at 12:16:10PM +0900, Atsushi SAKAI wrote: > Hi, Dan > > Would you explain the difference with sVirt? > The final goal sVirt seems same form me. > (for example, define many security domain etc in .te file.) At this stage sVirt is primarily about protecting guests from each other, and protecting the host from guests. Konrad's suggestions are about protecting guests/hosts from administrators, by providing more fine grained control over what libvirt APIs an admin can invoke & on what objects. Both bits of work are required & are complementary to each other Daniel -- |: Red Hat, Engineering, London -o- </tt><a href=http://people.redhat.com/berrange/><tt>http://people.redhat.com/berrange/</tt></a><tt> :| |: </tt><a href=http://libvirt.org/><tt>http://libvirt.org</tt></a><tt> -o- </tt><a href="http://virt-manager.org/"><tt>http://virt-manager.org</tt></a><tt> -o- </tt><a href=http://ovirt.org/><tt>http://ovirt.org</tt></a><tt> :| |: </tt><a href=http://autobuild.org/><tt>http://autobuild.org</tt></a><tt> -o- </tt><a href=http://search.cpan.org/~danberr/><tt>http://search.cpan.org/~danberr/</tt></a><tt> :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| </tt>