sVirt

Gene Czarcinski gene at czarc.net
Tue Jul 7 17:06:43 UTC 2009 

On Monday 06 July 2009 18:22:42 James Morris wrote:
> On Mon, 6 Jul 2009, Gene Czarcinski wrote:
> > Neat!
> >
> > OK, this is starting to make more sense to me.  I like the idea of using
> > the MCS policy to protect guests from each other.
>
> These slides from LCA should help explain the design further:
>   http://namei.org/presentations/svirt-lca-2009.pdf
>
> There's also a google video of the talk:
>   http://video.google.com/videoplay?docid=5750618585157629496&hl=en
>
> Dan Walsh is giving a talk on the topic at Linuxcon in September:
>   http://linuxcon.linuxfoundation.org/meetings/1571
>
> (which will be especially useful, as the code has evolved since the
> initial design).

Thank you one and all.  With the provided pointers to documentation I now have 
a much better understanding of how sVirt is using MCS.

When I originally saw that MCS was being used to restrict guest, I immediately 
thought it was a static implementation but did not see anything on the virtual 
disk image files so I thought it was not implemented yet.  However, you use MCS 
dynamically when a guest is actually run ... this makes more sense and is far 
simpler to implement and manage than any static implementation..

I see that you "only" set categories for the virtual disk images and not the 
ISO image file ... at least this is what I see and hope this is true ... 
example: i OFTEN run two or three guests which booted into rescue mode from a 
single netinst CD image.

I noticed that the SELinux rule for virt_image_t allows both read and write as 
it must.

However, the SELinux rule for virt_content_t (which is used for ISO image 
files) also allows both read and write ... changing this to read-only makes 
more sense to me.

I still believe that sVirt should not be changing the file context for ISO 
images (especially now that I see that categories are not set).  One solution 
which would "scratch my itch" while still doing (more or less) what is now 
done is to add some global sVirt parameter to define what context to use and 
have this default to virt_content_t.  It would also be nice if this could be 
overridden on a per-guest basis also.

Note that I am only talking about files which would use virt_content_t since 
the "static" option mentioned in a different email addresses the virtual disk 
image file ... at least I think it does.

BTW, it appears that sVirt picks a couple of non-zero random numbers to use 
for the category pair.  True?  If true, is any checking done so there are not 
any conflicts/reuse on different guests?  [I am trying to avoid going to the 
ultimate documentation for any software ... the source code]

Gene

More information about the fedora-selinux-list mailing list