sVirt
Daniel P. Berrange
berrange at redhat.com
Sun Jul 5 10:36:05 UTC 2009
On Sat, Jul 04, 2009 at 12:13:47PM -0400, Gene Czarcinski wrote:
> 1. I am not sure what should be done with real devices such as /dev/sr0.
sVirt does not distinguish based on device type, rather it goes off the
disk mode. Exclusive Read/write disks get a label with an mcs level specific
to the guest, Read/write shared get a label with an mcs level of 0, and
read-only disks get a label system_u:object_r:svirt_image_t:s0 which allows
read access.
> 2. For files on read-only file systems, don't do anything ... they are protected
> about as much as they can be.
As has been mentioned in the bug you raised several days ago, this issue
should already be addressed
https://bugzilla.redhat.com/show_bug.cgi?id=507555
> 4. For ISO files, maybe there should be a new/special file context which allows
> sharing between processes ... it would be explicit but it would allow sharing
> ... maybe something like "public_content_t".
There is already a label for read only guest images
system_u:object_r:svirt_image_t:s0
it shouldn't be much work for you to add a custom SELinux plugin that
gives httpd_t access to content labelled svirt_image_t. Ask the fedora-selinux
mailing list for assistance if needed
> 5. Maybe implement a switch which disables SELinux enforcing (and does not
> change the file context of ISO files) for Fedora-virtualization.
Already present /etc/libvirt/qemu.conf , change security_driver="none"
> 6. Maybe the switch should be by guest.
Easy enough to add - file a bug if you want this capability.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the fedora-selinux-list
mailing list