On Thu, Aug 21, 2014 at 03:47:14PM -0400, Paul Moore wrote:
On Thursday, August 21, 2014 10:48:05 AM Daniel J Walsh wrote:
> I think we should setup a meeting to discuss this and figure out our option.
Sorry I'm slow to the party, I'm at LSS/LinuxCon this week and the network has
been fairly spotty.
> We need a mechanism for libvirt to send the labels of the process and
> images to the remote server and then we need an enforcement mechanism to
> only allow the process label to interact with the file image. SELinux could
> do this if each vm has a separate process running on the server interacting
> with the image. Otherwise the server needs to do some kind of enforcement
> on its own.
>
> We could use some form of labeled networking for transmitting the MCS
> Label of qemu to the server or we would need to extend the protocol to
> send the label down.
>
> There is two ways to handle labeled networking.The most common labeling
> standard,CIPSO, only sends the MCS portion of the label. The second
> form can send the entire label of the process, but it is seldom used and
> requires Labeled IPSEC.
As one would expect, neither CIPSO or labeled IPsec are prefect, but they are
really our only options for conveying labels across a network - unless we want
to augment/extend RBD, which I know almost nothing about (a quick search makes
me think this is Ceph's remote storage protocol).
I'm afraid I don't think that passing labels at the RBD protocol level is
going to fly because the RBD client here is the QEMU process and we can not
trust the QEMU process to be honest in the data it sends to the RBD server.
We can only trust the kernel / libvirt which I think means that CIPSO /
IPsec are the only trustworthy options here.
Daniel (Mr. Libvirt, not Mr. SELinux), can you provide a quick
overview of
RBD, with bonus points for information on who controls the protocol
(Inktank/RH or IETF) and if it offers any sort of extensibility (in other
words, is there any hope for us to add label information to the protocol).
Speaking mostly from a position of ignorance on the matter, I assume it
is controlled by Inktank developers, as I've not heard any mention of a
standardization effort. But I don't think that matters for the reason
above.
Regards,
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|