Linux Permissions (DAC and MAC)

Two of the backup methods implemented by the Libvirt Plugin (checkpoint and block_dev) require the creation of temporary files. For this reason, the plugin applies specific logic to handle Linux permissions, including Discretionary Access Control (DAC) and Mandatory Access Control (MAC).

The plugin provides several advanced parameters to control this behavior.

The location where temporary files are stored:

• tmp_dir

Note

Temporary files may require several gigabytes of disk space.

For DAC, the plugin attempts to change the ownership (user and group) of the temporary files so that the user running Libvirt has read and write access. The relevant parameters are:

• libvirt_user

• libvirt_group

For MAC, the plugin attempts to manage whichever MAC system is enabled on the host. This behavior can be disabled using the mandatory_access_control parameter.

• For SELinux, the plugin attempts to add a temporary rule using the context specified by the selinux_context parameter.

• For AppArmor, the plugin attempts to set the profile associated with the domain to complain mode. This profile is typically located under /etc/apparmor/libvirt/libvirt-<domain_uuid>. If the profile is stored elsewhere, the template_apparmor_file parameter can be adjusted to reference the correct file.

The relevant parameters are:

• mandatory_access_control

• selinux_context

• template_apparmor_file

See also

Next articles:

• Generic Plugin Parameters

• Estimate and Backup Plugin Parameters

• Restore Plugin Parameters

• Tuning Plugin Parameters

• Fileset Examples

Go back to: Libvirt Plugin: Configuration.