[libvirt] [PATCH 0/6] NSS module for libvirt

Michal Privoznik mprivozn at redhat.com
Wed Feb 17 15:42:40 UTC 2016

On 16.02.2016 17:59, Daniel P. Berrange wrote:
> On Mon, Feb 15, 2016 at 05:38:37PM +0100, Michal Privoznik wrote:
>> Are you tired of remembering IP addresses for your domains?  Do
>> you have enough of configuring static IPs so that you can add
>> them to your hosts file? Then libvirt NSS module is exactly what
>> you need!
>> NSS does a lot in a Linux host. These patches aim at translating
>> domain names into IP addresses. All you need to do, is install
>> libnss_libvirt.so.2 (e.g. via 'make install' ran from source
>> dir), enable the module in nsswitch.conf:
>>     $ grep libvirt /etc/nsswitch.conf
>>     hosts:       files dns libvirt
>> and you're all set. Now you can just:
>>     $ ping $mydomain
>>     $ ssh user@$mydomain
>> or anything you'd like. The only limitation is that it has to be
>> libvirt who has assigned the domain IP address. The limitation
>> comes from implementation in which
>> '/var/lib/libvirt/dnsmasq/*.status' files are parsed when looking
>> up a hostname.
> So the 'nss' modules are loaded by any process on the host
> which does dns lookups. This in turns implies that any process
> has to have permission to read the dnsmasq lease files directly.
> I don't think this is very desirable, particularly from an
> SELinux POV - I'm not convinced we want to grant every process
> perm to read the virt_var_lib_t.

Okay, I haven't thought of that. What if, *.status file under
/var/lib/libvirt/dnsmasq would have virt_nss_var_lib_t and we have new
selinux boolean. Anybody who could read virt_var_lib_t could read
virt_nss_var_lib_t too. Moreover, if the boolean would be set, everybody
else, who would be denied on virt_var_lib_t would be granted access on

> I'm wondering if we shouldn't have a separate file(s) recording
> the hostname/IP address mappings for the NSS module to read,
> that we place somewhere dedicated to this purpose, so we can
> grant permission to just the data NSS needs.

I'd like to avoid that if possible.


More information about the libvir-list mailing list