As part of the sVirt effort, I'm investigating how and when to label
the resources accessed by domains.
There is already some support for querying security labels in libvirt,
although it does not seem to be widely used as yet.
For storage pool XML descriptors, there's a permissions element per
http://libvirt.org/formatstorage.html :
<permissions>
<owner>0744</owner>
<group>0744</group>
<mode>0744</mode>
<label>virt_image_t</label>
</permissions>
The label element in this is currently assumed by libvirt to be an SELinux
security label obtainable via getfilecon(3).
There are a couple of issues here:
1. We should probably not build security model specific code directly into
the library. It's more flexible and also cleaner to abstract the security
model out. So, I suggest making a plugin scheme similar to those already
present in libvirt, where a security model can register a driver to handle
abstracted operations like "getSecurityLabel".
2. The XML format for security labels needs to be extended to indicate
which security model is in use, and potentially carry model-specific
metadata. For SELinux, we may want to know what type of policy is active,
and later, be able to interpret labels generated on other systems.
In this case, I suggest we deprecate the existing label element and, if
present, assume it's a plain SELinux context (or perhaps ignore it).
I'd suggest we implement a new label element to avoid breaking
compatibility and to avoid potential confusion with other types of device
labels (e.g. as you might see via /dev/disk/by-label).
So, how about the following:
<seclabel>
<model>
<!-- model-specific elements in here, to be handled by
named security driver, in this case "selinux" -->
<selinux>
<type>targeted</type>
</selinux>
</model>
<value>system_u:object_r:virt_image_t:s0</value>
</seclabel>
The model and value elements would be mandatory, but possibly empty.
The seclabel element would be a child of the permissions element:
<permissions>
<owner>0744</owner>
<group>0744</group>
<mode>0744</mode>
<seclabel>
<model>
<selinux>
<type>targeted</type>
</selinux>
</model>
<value>system_u:object_r:virt_image_t:s0</value>
</seclabel>
</permissions>
It would also likely be reused for labeling domains themselves, and other
resources.
Thoughts?
- James
--
James Morris
<jmorris(a)namei.org>