- In the "session" instance, the POSIX DAC model restricts QEMU virtual - machines (and libvirtd in general) to only have access to resources + In the "session" instance, the POSIX users/groups model restricts QEMU + virtual machines (and libvirtd in general) to only have access to resources with the same user/group ID as the client application. There is no finer level of configuration possible for the "session" instances.
@@ -271,7 +271,7 @@ run as non-root, there will be greater restrictions on what host resources the QEMU process will be able to access. The libvirtd daemon will attempt to manage permissions on resources - to minise the likelihood of unintentionale security denials, + to minimise the likelihood of unintentional security denials, but the administrator / application developer must be aware of some of the consequences / restrictions. @@ -290,9 +290,9 @@
- When attaching PCI and USB devices to a QEMU guest,
+ When attaching USB and PCI devices to a QEMU guest,
QEMU will need to access files in /dev/bus/usb
- and /sys/bus/devices. The libvirtd daemon
+ and /sys/bus/pci/devices respectively. The libvirtd daemon
will automatically set the ownership on specific devices
that are assigned to a guest at start time. There should
not be any need for administrator changes in this respect.
@@ -313,7 +313,7 @@
The simplest option is the latter one, of just enabling the 'execute/search' bit. For any directory to be used - for storing disk images, this can be achived by running + for storing disk images, this can be achieved by running the following command on the directory itself, and any parent directories
@@ -328,7 +328,7 @@
The libvirt QEMU driver has a build time option allowing it to use
@@ -363,7 +363,7 @@
to changing the /etc/libvirt/qemu.conf settings.
The basic SELinux protection for QEMU virtual machines is intended to @@ -393,7 +393,7 @@ SELinux boolean.
The SELinux sVirt protection for QEMU virtual machines builds to the @@ -429,7 +429,7 @@ labelled to match, libvirtd will not attempt any relabelling.
- If the sVirt security model is active, then the node capabilties + If the sVirt security model is active, then the node capabilities XML will include its details. If a virtual machine is currently protected by the security model, then the guest XML will include its assigned labels. If enabled at compile time, the sVirt security diff --git a/docs/drvqemu.html.in b/docs/drvqemu.html.in index 348eaafbae..dd89fc3279 100644 --- a/docs/drvqemu.html.in +++ b/docs/drvqemu.html.in @@ -85,11 +85,11 @@ elevated privileges.
-- In the "session" instance, the POSIX DAC model restricts QEMU virtual - machines (and libvirtd in general) to only have access to resources + In the "session" instance, the POSIX users/groups model restricts QEMU + virtual machines (and libvirtd in general) to only have access to resources with the same user/group ID as the client application. There is no finer level of configuration possible for the "session" instances.
@@ -116,7 +116,7 @@ run as non-root, there will be greater restrictions on what host resources the QEMU process will be able to access. The libvirtd daemon will attempt to manage permissions on resources - to minise the likelihood of unintentionale security denials, + to minimise the likelihood of unintentional security denials, but the administrator / application developer must be aware of some of the consequences / restrictions. @@ -138,9 +138,9 @@
- When attaching PCI and USB devices to a QEMU guest,
+ When attaching USB and PCI devices to a QEMU guest,
QEMU will need to access files in /dev/bus/usb
- and /sys/bus/devices. The libvirtd daemon
+ and /sys/bus/pci/devices respectively. The libvirtd daemon
will automatically set the ownership on specific devices
that are assigned to a guest at start time. There should
not be any need for administrator changes in this respect.
@@ -162,7 +162,7 @@
The simplest option is the latter one, of just enabling the 'execute/search' bit. For any directory to be used - for storing disk images, this can be achived by running + for storing disk images, this can be achieved by running the following command on the directory itself, and any parent directories
@@ -178,7 +178,7 @@
The libvirt QEMU driver has a build time option allowing it to use
@@ -215,7 +215,7 @@
to changing the /etc/libvirt/qemu.conf settings.
The basic SELinux protection for QEMU virtual machines is intended to @@ -246,7 +246,7 @@ SELinux boolean.
-The SELinux sVirt protection for QEMU virtual machines builds to the @@ -286,7 +286,7 @@
- If the sVirt security model is active, then the node capabilties + If the sVirt security model is active, then the node capabilities XML will include its details. If a virtual machine is currently protected by the security model, then the guest XML will include its assigned labels. If enabled at compile time, the sVirt security