[libvirt] Re: [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

On Tue, 12 Aug 2008, Russell Coker wrote: > One thing that should be noted is the labelled network benefits. > If you had several groups of virtual servers running at different > levels and wanted to prevent information leaks then having SE Linux > contexts and labelled networking could make things a little easier. > > I have had some real challenges in managing firewall rules for Xen > servers. My general practice is to try and make sure that there is > no real need for firewalls between hosts on the same hardware (not > that I want it this way - it's what technical and management issues > force me to). > > So for example if I have an ISP Xen server running virtual machines > for a number of organisations I make sure that they are either all > within a similar trust boundary (IE affiliated groups) or all > mutually untrusting (IE other IP addresses in the same net-block > are treated the same as random hosts on the net). Thanks for the insights -- we expect to address the virtual networking aspect in some way.