Re: [libvirt] RFC: sVirt disk isolation with network based storage
On Thursday, August 21, 2014 10:48:05 AM Daniel J Walsh wrote:
I think we should setup a meeting to discuss this and figure out our
option.
Sorry I'm slow to the party, I'm at LSS/LinuxCon this week and the network has
been fairly spotty.
We need a mechanism for libvirt to send the labels of the process
and
images to the remote server and then we need an enforcement mechanism to
only allow the process label to interact with the file image. SELinux could
do this if each vm has a separate process running on the server interacting
with the image. Otherwise the server needs to do some kind of enforcement
on its own.
We could use some form of labeled networking for transmitting the MCS
Label of qemu to the server or we would need to extend the protocol to
send the label down.
There is two ways to handle labeled networking.The most common labeling
standard,CIPSO, only sends the MCS portion of the label. The second
form can send the entire label of the process, but it is seldom used and
requires Labeled IPSEC.
As one would expect, neither CIPSO or labeled IPsec are prefect, but they are
really our only options for conveying labels across a network - unless we want
to augment/extend RBD, which I know almost nothing about (a quick search makes
me think this is Ceph's remote storage protocol).
Daniel (Mr. Libvirt, not Mr. SELinux), can you provide a quick overview of
RBD, with bonus points for information on who controls the protocol
(Inktank/RH or IETF) and if it offers any sort of extensibility (in other
words, is there any hope for us to add label information to the protocol).
--
paul moore
security and virtualization @ redhat