Am Freitag, 4. März 2011, um 17:35:03 schrieb Daniel P. Berrange:
Hi Daniel,
On Fri, Mar 04, 2011 at 04:53:20PM +0100, Stephan Mueller wrote:
> Hi,
>
> I would like to propose the following patch for the libvirtd.conf file to
> document sVirt and its usage. If you have suggestions to add better
> wording, please let me know.
>
> (If you reply with comments, could you please CC me as I am not on the
> list.)
>
> -
> +#################################################################
> +#
> +# sVirt protection mechanisms
> +#
> +# The following options specify the separation of virtual machines
> +# based on SELinux categories. As virtual machines execute with the
> +# same user ID, an additional separation functionality is necessary
> +# to prevent different virtual machines from interfering with each other
> +# in case the simulation environment provided with QEMU is
> +# successfully broken by a rogue guest.
> +#
> +# The sVirt protection mechanism implements two modes of operation:
> +# dynamic assignment of SELinux categories
> +# static assignment of SELinux labels
> +#
> +# A dynamic assignment of categories implies that libvirt generates
> +# a unique SELinux category that the virtual machine and its resources
> +# are assigned to during the instantiation of the virtual machine.
> +# SELinux ensures that each virtual machine can only access resources
> +# labeled with the same category as the virtual machine itself.
> +#
> +# A static assignment of SELinux labels imply that the administrator
> +# manually configures the SELinux label of the virtual machine in
> +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example:
> +#
> +# <seclabel model='selinux' type="static">
> +# <label>system_u:system_r:qemu_t:s0:c210.c502</label>
> +# </seclabel>
> +#
> +# The <label> tag specifies a full SELinux label the virtual machine
> +# will be executed with.
> +#
> +# In addition to the setting of the SELinux label of the virtual
> +# machine, the administrator must manually set the SELinux label
> +# of all resources the virtual machine accesses appropriately.
> +#
> +# NOTE: The dynamic assignment of categories is only intended for
> +# systems with the targeted SELinux policy. Systems with the MLS
> +# SELinux policy MUST use the static assignment of labels.
> +# It is possible that static assignment is configured for
> +# systems with the targeted policy as well.
> +#
> +# dynamic_ownership: 0 == static assignment of SELinux labels
> +# 1 == dynamic assignment of SELinux labels
> +dynamic_ownership=1
> +#
This is not what the dynamic_ownership parameter does - it actually
has nothing todo with SELinux / sVirt. This determines whether
libvirt will set the user/group DAC ownership on the disk images
to match the uid/gid the QEMU process runs under.
I see. Thanks for the clarification.
Whether libvirt uses static or dynamic SELinux labels is entirely
controlled by the guest XML config. This is explained a little bit
in this webpage:
http://libvirt.org/drvqemu.html#securitysvirt
though you might wish to improve the wording a little more (the web
pages are stored in the docs/ directory of GIT.
This statement there is not fully clear. Can you please briefly state how do
you switch between dynamic and static labeling.
Regards,
Daniel
Ciao
Stephan
--
Stephan Müller Stephan.Mueller(a)atsec.com +49 172 216 55 78
atsec information security GmbH, Steinstraße 70, 81667 München, Germany
Geschäftsführer: Salvatore la Pietra, Staffan Persson
HRB: 129439 (Amtsgericht München)
atsec it security news blog -
atsec-information-security.blogspot.com