[libvirt] [PATCH] dynamic_ownership documentation
Hi, I would like to propose the following patch for the libvirtd.conf file to document sVirt and its usage. If you have suggestions to add better wording, please let me know. (If you reply with comments, could you please CC me as I am not on the list.) Ciao Stephan --- diff --git a/cc-config/cc/libvirtd.conf b/cc-config/cc/libvirtd.conf index 43e19d8..a9acc21 100644 --- a/cc-config/cc/libvirtd.conf +++ b/cc-config/cc/libvirtd.conf @@ -154,7 +154,52 @@ auth_unix_rw = "none" # mechanism as well, by using 'sasl' for this option #auth_tls = "none" - +################################################################# +# +# sVirt protection mechanisms +# +# The following options specify the separation of virtual machines +# based on SELinux categories. As virtual machines execute with the +# same user ID, an additional separation functionality is necessary +# to prevent different virtual machines from interfering with each other +# in case the simulation environment provided with QEMU is +# successfully broken by a rogue guest. +# +# The sVirt protection mechanism implements two modes of operation: +# dynamic assignment of SELinux categories +# static assignment of SELinux labels +# +# A dynamic assignment of categories implies that libvirt generates +# a unique SELinux category that the virtual machine and its resources +# are assigned to during the instantiation of the virtual machine. +# SELinux ensures that each virtual machine can only access resources +# labeled with the same category as the virtual machine itself. +# +# A static assignment of SELinux labels imply that the administrator +# manually configures the SELinux label of the virtual machine in +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example: +# +# <seclabel model='selinux' type="static"> +# <label>system_u:system_r:qemu_t:s0:c210.c502</label> +# </seclabel> +# +# The <label> tag specifies a full SELinux label the virtual machine +# will be executed with. +# +# In addition to the setting of the SELinux label of the virtual +# machine, the administrator must manually set the SELinux label +# of all resources the virtual machine accesses appropriately. +# +# NOTE: The dynamic assignment of categories is only intended for +# systems with the targeted SELinux policy. Systems with the MLS +# SELinux policy MUST use the static assignment of labels. +# It is possible that static assignment is configured for +# systems with the targeted policy as well. +# +# dynamic_ownership: 0 == static assignment of SELinux labels +# 1 == dynamic assignment of SELinux labels +dynamic_ownership=1 +#
On Fri, Mar 04, 2011 at 04:53:20PM +0100, Stephan Mueller wrote:
Hi,
I would like to propose the following patch for the libvirtd.conf file to document sVirt and its usage. If you have suggestions to add better wording, please let me know.
(If you reply with comments, could you please CC me as I am not on the list.)
- +################################################################# +# +# sVirt protection mechanisms +# +# The following options specify the separation of virtual machines +# based on SELinux categories. As virtual machines execute with the +# same user ID, an additional separation functionality is necessary +# to prevent different virtual machines from interfering with each other +# in case the simulation environment provided with QEMU is +# successfully broken by a rogue guest. +# +# The sVirt protection mechanism implements two modes of operation: +# dynamic assignment of SELinux categories +# static assignment of SELinux labels +# +# A dynamic assignment of categories implies that libvirt generates +# a unique SELinux category that the virtual machine and its resources +# are assigned to during the instantiation of the virtual machine. +# SELinux ensures that each virtual machine can only access resources +# labeled with the same category as the virtual machine itself. +# +# A static assignment of SELinux labels imply that the administrator +# manually configures the SELinux label of the virtual machine in +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example: +# +# <seclabel model='selinux' type="static"> +# <label>system_u:system_r:qemu_t:s0:c210.c502</label> +# </seclabel> +# +# The <label> tag specifies a full SELinux label the virtual machine +# will be executed with. +# +# In addition to the setting of the SELinux label of the virtual +# machine, the administrator must manually set the SELinux label +# of all resources the virtual machine accesses appropriately. +# +# NOTE: The dynamic assignment of categories is only intended for +# systems with the targeted SELinux policy. Systems with the MLS +# SELinux policy MUST use the static assignment of labels. +# It is possible that static assignment is configured for +# systems with the targeted policy as well. +# +# dynamic_ownership: 0 == static assignment of SELinux labels +# 1 == dynamic assignment of SELinux labels +dynamic_ownership=1 +#
This is not what the dynamic_ownership parameter does - it actually has nothing todo with SELinux / sVirt. This determines whether libvirt will set the user/group DAC ownership on the disk images to match the uid/gid the QEMU process runs under. Whether libvirt uses static or dynamic SELinux labels is entirely controlled by the guest XML config. This is explained a little bit in this webpage: http://libvirt.org/drvqemu.html#securitysvirt though you might wish to improve the wording a little more (the web pages are stored in the docs/ directory of GIT. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 03/04/2011 09:35 AM, Daniel P. Berrange wrote:
+# A static assignment of SELinux labels imply that the administrator +# manually configures the SELinux label of the virtual machine in +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example: +# +# <seclabel model='selinux' type="static"> +# <label>system_u:system_r:qemu_t:s0:c210.c502</label> +# </seclabel>
+# dynamic_ownership: 0 == static assignment of SELinux labels +# 1 == dynamic assignment of SELinux labels +dynamic_ownership=1 +#
This is not what the dynamic_ownership parameter does - it actually has nothing todo with SELinux / sVirt. This determines whether libvirt will set the user/group DAC ownership on the disk images to match the uid/gid the QEMU process runs under.
While Daniel's point is correct, that dynamic_ownership in the conf file (affecting DAC) is different than dynamic SELinux labels in the XML (affecting SELinux), it may still be worth updating the dynamic_ownership documentation to mention how the XML can additionally affects access.
Whether libvirt uses static or dynamic SELinux labels is entirely controlled by the guest XML config. This is explained a little bit in this webpage:
http://libvirt.org/drvqemu.html#securitysvirt
though you might wish to improve the wording a little more (the web pages are stored in the docs/ directory of GIT.
Agreed that the web pages could also be improved. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
Am Freitag, 4. März 2011, um 17:35:03 schrieb Daniel P. Berrange: Hi Daniel,
On Fri, Mar 04, 2011 at 04:53:20PM +0100, Stephan Mueller wrote:
Hi,
I would like to propose the following patch for the libvirtd.conf file to document sVirt and its usage. If you have suggestions to add better wording, please let me know.
(If you reply with comments, could you please CC me as I am not on the list.)
- +################################################################# +# +# sVirt protection mechanisms +# +# The following options specify the separation of virtual machines +# based on SELinux categories. As virtual machines execute with the +# same user ID, an additional separation functionality is necessary +# to prevent different virtual machines from interfering with each other +# in case the simulation environment provided with QEMU is +# successfully broken by a rogue guest. +# +# The sVirt protection mechanism implements two modes of operation: +# dynamic assignment of SELinux categories +# static assignment of SELinux labels +# +# A dynamic assignment of categories implies that libvirt generates +# a unique SELinux category that the virtual machine and its resources +# are assigned to during the instantiation of the virtual machine. +# SELinux ensures that each virtual machine can only access resources +# labeled with the same category as the virtual machine itself. +# +# A static assignment of SELinux labels imply that the administrator +# manually configures the SELinux label of the virtual machine in +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example: +# +# <seclabel model='selinux' type="static"> +# <label>system_u:system_r:qemu_t:s0:c210.c502</label> +# </seclabel> +# +# The <label> tag specifies a full SELinux label the virtual machine +# will be executed with. +# +# In addition to the setting of the SELinux label of the virtual +# machine, the administrator must manually set the SELinux label +# of all resources the virtual machine accesses appropriately. +# +# NOTE: The dynamic assignment of categories is only intended for +# systems with the targeted SELinux policy. Systems with the MLS +# SELinux policy MUST use the static assignment of labels. +# It is possible that static assignment is configured for +# systems with the targeted policy as well. +# +# dynamic_ownership: 0 == static assignment of SELinux labels +# 1 == dynamic assignment of SELinux labels +dynamic_ownership=1 +#
This is not what the dynamic_ownership parameter does - it actually has nothing todo with SELinux / sVirt. This determines whether libvirt will set the user/group DAC ownership on the disk images to match the uid/gid the QEMU process runs under.
I see. Thanks for the clarification.
Whether libvirt uses static or dynamic SELinux labels is entirely controlled by the guest XML config. This is explained a little bit in this webpage:
http://libvirt.org/drvqemu.html#securitysvirt
though you might wish to improve the wording a little more (the web pages are stored in the docs/ directory of GIT.
This statement there is not fully clear. Can you please briefly state how do you switch between dynamic and static labeling.
Regards, Daniel
Ciao Stephan -- Stephan Müller Stephan.Mueller@atsec.com +49 172 216 55 78 atsec information security GmbH, Steinstraße 70, 81667 München, Germany Geschäftsführer: Salvatore la Pietra, Staffan Persson HRB: 129439 (Amtsgericht München) atsec it security news blog - atsec-information-security.blogspot.com
On Wed, Mar 09, 2011 at 11:38:23AM +0100, Stephan Mueller wrote:
Am Freitag, 4. März 2011, um 17:35:03 schrieb Daniel P. Berrange:
+# A static assignment of SELinux labels imply that the administrator +# manually configures the SELinux label of the virtual machine in +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example: +# +# <seclabel model='selinux' type="static"> +# <label>system_u:system_r:qemu_t:s0:c210.c502</label> +# </seclabel> +# +# The <label> tag specifies a full SELinux label the virtual machine +# will be executed with. +# +# In addition to the setting of the SELinux label of the virtual +# machine, the administrator must manually set the SELinux label +# of all resources the virtual machine accesses appropriately. +# +# NOTE: The dynamic assignment of categories is only intended for +# systems with the targeted SELinux policy. Systems with the MLS +# SELinux policy MUST use the static assignment of labels. +# It is possible that static assignment is configured for +# systems with the targeted policy as well. +# +# dynamic_ownership: 0 == static assignment of SELinux labels +# 1 == dynamic assignment of SELinux labels +dynamic_ownership=1 +#
This is not what the dynamic_ownership parameter does - it actually has nothing todo with SELinux / sVirt. This determines whether libvirt will set the user/group DAC ownership on the disk images to match the uid/gid the QEMU process runs under.
I see. Thanks for the clarification.
Whether libvirt uses static or dynamic SELinux labels is entirely controlled by the guest XML config. This is explained a little bit in this webpage:
http://libvirt.org/drvqemu.html#securitysvirt
though you might wish to improve the wording a little more (the web pages are stored in the docs/ directory of GIT.
This statement there is not fully clear. Can you please briefly state how do you switch between dynamic and static labeling.
As you sort of mentioned above, when defining a new guest XML, if you don't include any <seclabel> element in the XML, then the VM uses dynamic labelling. Also if you have <seclabel type='dynamic'/> then it'll do dynamic labelling. Only if you explicitly include the full XML like <seclabel model='selinux' type="static"> <label>system_u:system_r:qemu_t:s0:c210.c502</label> </seclabel> will static labelling be used. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Stephan Mueller