Re: [libvirt] [PATCH] dynamic_ownership documentation
On Fri, Mar 04, 2011 at 04:53:20PM +0100, Stephan Mueller wrote:
Hi,
I would like to propose the following patch for the libvirtd.conf file to
document sVirt and its usage. If you have suggestions to add better wording,
please let me know.
(If you reply with comments, could you please CC me as I am not on the list.)
-
+#################################################################
+#
+# sVirt protection mechanisms
+#
+# The following options specify the separation of virtual machines
+# based on SELinux categories. As virtual machines execute with the
+# same user ID, an additional separation functionality is necessary
+# to prevent different virtual machines from interfering with each other
+# in case the simulation environment provided with QEMU is
+# successfully broken by a rogue guest.
+#
+# The sVirt protection mechanism implements two modes of operation:
+# dynamic assignment of SELinux categories
+# static assignment of SELinux labels
+#
+# A dynamic assignment of categories implies that libvirt generates
+# a unique SELinux category that the virtual machine and its resources
+# are assigned to during the instantiation of the virtual machine.
+# SELinux ensures that each virtual machine can only access resources
+# labeled with the same category as the virtual machine itself.
+#
+# A static assignment of SELinux labels imply that the administrator
+# manually configures the SELinux label of the virtual machine in
+# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example:
+#
+# <seclabel model='selinux' type="static">
+# <label>system_u:system_r:qemu_t:s0:c210.c502</label>
+# </seclabel>
+#
+# The <label> tag specifies a full SELinux label the virtual machine
+# will be executed with.
+#
+# In addition to the setting of the SELinux label of the virtual
+# machine, the administrator must manually set the SELinux label
+# of all resources the virtual machine accesses appropriately.
+#
+# NOTE: The dynamic assignment of categories is only intended for
+# systems with the targeted SELinux policy. Systems with the MLS
+# SELinux policy MUST use the static assignment of labels.
+# It is possible that static assignment is configured for
+# systems with the targeted policy as well.
+#
+# dynamic_ownership: 0 == static assignment of SELinux labels
+# 1 == dynamic assignment of SELinux labels
+dynamic_ownership=1
+#
This is not what the dynamic_ownership parameter does - it actually
has nothing todo with SELinux / sVirt. This determines whether
libvirt will set the user/group DAC ownership on the disk images
to match the uid/gid the QEMU process runs under.
Whether libvirt uses static or dynamic SELinux labels is entirely
controlled by the guest XML config. This is explained a little bit
in this webpage:
http://libvirt.org/drvqemu.html#securitysvirt
though you might wish to improve the wording a little more (the web
pages are stored in the docs/ directory of GIT.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|