sVirt

Daniel J Walsh dwalsh at redhat.com
Tue Jul 7 20:03:56 UTC 2009 

On 07/07/2009 01:06 PM, Gene Czarcinski wrote:
> On Monday 06 July 2009 18:22:42 James Morris wrote:
>> On Mon, 6 Jul 2009, Gene Czarcinski wrote:
>>> Neat!
>>>
>>> OK, this is starting to make more sense to me.  I like the idea of using
>>> the MCS policy to protect guests from each other.
>> These slides from LCA should help explain the design further:
>>    http://namei.org/presentations/svirt-lca-2009.pdf
>>
>> There's also a google video of the talk:
>>    http://video.google.com/videoplay?docid=5750618585157629496&hl=en
>>
>> Dan Walsh is giving a talk on the topic at Linuxcon in September:
>>    http://linuxcon.linuxfoundation.org/meetings/1571
>>
>> (which will be especially useful, as the code has evolved since the
>> initial design).
>
> Thank you one and all.  With the provided pointers to documentation I now have
> a much better understanding of how sVirt is using MCS.
>
> When I originally saw that MCS was being used to restrict guest, I immediately
> thought it was a static implementation but did not see anything on the virtual
> disk image files so I thought it was not implemented yet.  However, you use MCS
> dynamically when a guest is actually run ... this makes more sense and is far
> simpler to implement and manage than any static implementation..
>
> I see that you "only" set categories for the virtual disk images and not the
> ISO image file ... at least this is what I see and hope this is true ...
> example: i OFTEN run two or three guests which booted into rescue mode from a
> single netinst CD image.
>
> I noticed that the SELinux rule for virt_image_t allows both read and write as
> it must.
>
> However, the SELinux rule for virt_content_t (which is used for ISO image
> files) also allows both read and write ... changing this to read-only makes
> more sense to me.
These are the rules in F11, it only allows read

# sesearch --allow -s svirt_t -t virt_content_t
Found 2 semantic av rules:
    allow svirt_t virt_content_t : file { ioctl read getattr lock open } ;
    allow svirt_t virt_content_t : dir { ioctl read getattr lock search 
open } ;

>
> I still believe that sVirt should not be changing the file context for ISO
> images (especially now that I see that categories are not set).  One solution
> which would "scratch my itch" while still doing (more or less) what is now
> done is to add some global sVirt parameter to define what context to use and
> have this default to virt_content_t.  It would also be nice if this could be
> overridden on a per-guest basis also.
>
> Note that I am only talking about files which would use virt_content_t since
> the "static" option mentioned in a different email addresses the virtual disk
> image file ... at least I think it does.
>
> BTW, it appears that sVirt picks a couple of non-zero random numbers to use
> for the category pair.  True?  If true, is any checking done so there are not
> any conflicts/reuse on different guests?  [I am trying to avoid going to the
> ultimate documentation for any software ... the source code]
>
Well it does check if the MCS label is unique among svirt images and it 
makes sure that the to numbers are different.  s0:c1,c1 == so:c1 which 
is not allowed.



> Gene
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list