sVirt

Dominick Grift domg472 at gmail.com
Sat Jul 4 17:19:38 UTC 2009 

On Sat, 2009-07-04 at 12:13 -0400, Gene Czarcinski wrote:
> I am having some problems with the design/implementation of sVirt for Fedora-
> virtualization on Fedora 11.
> 
> 1. I am a longtime user of Fedora since FC1 and, prior to that, I used Red Hat 
> Linux.
> 
> 2.  I am a big fan of SELinux and have been using it since FC3 and always run 
> in enforcing mode.  I get upset/angry when someone suggests disabling SELinux 
> to "fix" my problems.  If there is a "bug", report it and get it fixed ... do 
> not ignore it.
> 
> 3. I have also been a longtime user of VMware.  However, with Fedora-
> virtualization on Fedora 11, I decided to "change my problem set" and give 
> Fedora-virtualization a try ... especially since I now have an AMD Phenom II 
> 940 which supports hardware virtualization.
> 
> I have researched and found a number of documents which provide some of the 
> goals, etc. for sVirt.  However, I have hit some undesirable characteristics 
> and bad side effects in dealing with ISO images.
> 
> First of all, sVirt changes/sets the file context for any virtual disk, ISO 
> image, or device (e.g., /dev/sr0) ... I am not sure what happens with LVM 
> logical volumes because I have not tried them yet.

ls -alZ /dev/mapper | grep volume2
brw-rw----. root disk system_u:object_r:svirt_image_t:s0:c168,c894
vg_mybook-lv_volume2

> I understand that, with mandatory access control, a process should be denied 
> access to all resources except those which have been explicitly permitted.  I 
> assume this is the reason for setting/changing the file context.  For ISO 
> images, this is BAD!
> 
> I have an apache (httpd) server running which has access to my repository of 
> ISO images.  After I create a virtual guest and point to an ISO image in the 
> repository, the apache server can no longer see that ISO image!  Bad, BAD!  
> Yes, I know restorecon will fix things up but this should not happen in the 
> first place.
> 
> Another (related) problem is that I cannot use an ISO image file on a read-only 
> mounted file system.  Why?  Just what is being protected here?
> 
> As currently implemented, there is no protection between guests with respect 
> to their individual virtual disk files.  This really does need doing and it 
> will be interesting to see how it will be done by SELinux (assuming this is 
> protected by Fedora-virtualization applications software is not good enough).
> 
> Some suggestions:
> 
> 1. I am not sure what should be done with real devices such as /dev/sr0.
> 
> 2. For files on read-only file systems, don't do anything ... they are protected 
> about as much as they can be.
> 
> 3. For files in /var/lib/libvirt/images, set the file context as is now done.  
> This is also true if I locate my read/write virtual disk (file) elsewhere.
> 
> 4. For ISO files, maybe there should be a new/special file context which allows 
> sharing between processes ... it would be explicit but it would allow sharing 
> ... maybe something like "public_content_t".
> 
> 5. Maybe implement a switch which disables SELinux enforcing (and does not 
> change the file context of ISO files) for Fedora-virtualization.
> 
> 6.  Maybe the switch should be by guest.
> 
> - - - - -
> 
> OK, I can see where locking down Fedora-virtualization with mandatory access 
> control would be very interesting to some organizations such as NSA but that 
> this would be used in a very rigidly controlled and limited system.  But, this 
> stuff has to be usable in other environments too.
> 
> - - - - - -
> 
> Finally ... IMHO, the design/implementation of SELinux for Fedora-
> virtualization  was a bit of a quick-and-dirty approach ... do what we know 
> how to do.  I suggest that maybe some SELinux folks and some key Fedora-
> virtualization (especially libvirt) folks should take a week off (or maybe just 
> a weekend), go off somewhere where you will not be bothered, and the figure out 
> what should be done ... not "how" ... just the "should" at first.  Then after 
> some time has passed so that folks have had time to think about it, have 
> another "session" where the "how" is considered and a roadmap is created.
> 
> Just some food for thought.
> 
> Gene
There was a libvirt/svirt test-day earlier but dwalsh was not there, and svirt was not mentioned by anyone.

I know svirt is a work in progress.

I have not tested the iso image thing but sounds like you have a good
point there. 

My svirt setup is very generic and i did not notice any such issues.

> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090704/f93fc3ac/attachment.sig>

More information about the fedora-selinux-list mailing list