mansecurityReviewed July 15, 2026
Libvirt access control and privilege boundaries
Control of the system libvirt URI is close to root equivalent on many hosts. An authorized user can often define devices, attach host paths, alter networks, or influence privileged QEMU execution. Map the boundary Apply
polkitunix-socketsaslleast-privilege
Control of the system libvirt URI is close to root-equivalent on many hosts. An authorized user can often define devices, attach host paths, alter networks, or influence privileged QEMU execution.
Map the boundary
BASH
virsh -c qemu:///system uri
ss -lx | grep libvirt
stat /run/libvirt/libvirt-sock
getent group libvirtApply least privilege
- Prefer local UNIX sockets with polkit decisions for interactive administration.
- Prefer SSH transport for remote operator access when centralized host SSH policy already exists.
- Use TLS with client certificates when application-to-service connectivity requires it.
- Do not grant broad group membership as a substitute for an authorization model.
- Audit changes to domain, network, storage, secret, and node-device definitions.
Separate concerns
Socket authorization decides who may ask. SELinux and sVirt constrain what the daemon and guest processes may touch. TLS protects a transport. None replaces the others.