Re: [libvirt-users] libvirt with sanlock
On 03/14/2012 01:32 AM, Alex Jia wrote:
I'm not sure whether you met a sanlock AVC error in your
/var/log/audit/audit.log, could you check it and provide your
selinux-policy version? in addition, you should turn on selinux bool
value for sanlock, for example,
# getsebool -a|grep sanlock
virt_use_sanlock --> off
# setsebool -P virt_use_sanlock on
# getsebool -a|grep sanlock
virt_use_sanlock --> on
Yuck - we have a documentation bug, since
http://libvirt.org/locking.html doesn't mention virt_use_sanlock at all.
What sort of AVCs are expected if the bool is false, and what security
implications are there by setting it to true?
For example, if virt_use_nfs is false, you can't use NFS storage for
guest disk images (at least not until qemu adds better support for fd
passing everywhere); but if it is true, then you are admitting that a
compromised qemu guest can do whatever it wants to other files within
the confines of your NFS mount point, rather than the normal sVirt
guarantee that it can only touch the files that have been labeled for
that guest - if you trust your guests, or use different NFS mount points
per guest, then setting the bool to true won't pose a significant risk
to you; if you don't trust your guests, then documenting the risks of
this bool would be enough to convince me to use iSCSI or other shared
storage alternative with more security guarantees even though it
requires more administrative setup on my part. But I don't even know
the risks of virt_use_sanlock to document them or what could be used as
alternatives.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 620 bytes)