[libvirt] Re: [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

having different labels for processes and files so that if someone cracks the UML kernel then they end up with just a regular user access on the Linux host. Which of course they could then try to crack with any of the usual local-root exploits. For separation based on Xen if someone cracks the hypervisor then you lose everything. For KVM (which seems to be the future of Linux virtualisation) I don't know enough to comment.

So by "Linux-based" you mean in contrast to Xen which has the Xen kernel (not Linux) running on the hardware?

> I don't understand what needs to be backed here. Currently, MAC is not > used to separate different Linux-based VMs, and by integrating MAC > support, people will be able to further utilize MAC. One thing that should be noted is the labelled network benefits. If you had several groups of virtual servers running at different levels and wanted to prevent information leaks then having SE Linux contexts and labelled networking could make things a little easier. I have had some real challenges in managing firewall rules for Xen servers. My general practice is to try and make sure that there is no real need for firewalls between hosts on the same hardware (not that I want it this way - it's what technical and management issues force me to). So for example if I have an ISP Xen server running virtual machines for a number of organisations I make sure that they are either all within a similar trust boundary (IE affiliated groups) or all mutually untrusting (IE other IP addresses in the same net-block are treated the same as random hosts on the net).

The issue is whether the hypervisor you care about can be broken out of in that way. It seems that if someone can break out of Xen then you just lose. For KVM I don't know the situation, do you have a good reference for how it works? http://en.wikipedia.org/wiki/Kernel-based_Virtual_Machine The above web page says that KVM is all based in the kernel, in which case why would it be any more resilient than Xen?