[libvirt] Re: XML representation of security labels

Casey Schaufler casey at schaufler-ca.com
Fri Aug 29 15:07:10 UTC 2008 

James Morris wrote:
> On Fri, 29 Aug 2008, Daniel Veillard wrote:
>
>   
>>>> 2. The XML format for security labels needs to be extended to indicate 
>>>> which security model is in use, and potentially carry model-specific 
>>>> metadata.  For SELinux, we may want to know what type of policy is active, 
>>>> and later, be able to interpret labels generated on other systems.
>>>>         
>>   I guess so far we didn't look at the interpretation of security
>> context in the case of migration to a different system. The problem
>> is that except for the base UNIX informations, they are likely to be
>> lost. Still i would expect that storage will have to be shared for
>> such migration, so in the end the case of migration of security context
>> values looks like quite unprobable, but maybe I don't see some of the
>> use cases (heterogenous server pools ?)
>>     
>
> In the simplest case, we'll just be wanting to ensure that domains are 
> running with distinct labels for separation purposes, so that concept may 
> be possible to convey during migration.
>
> As for specific labels (e.g. "privileged", "company-confidential" etc.), 
> this is a general problem to be solved for distributed MAC security, and 
> we would not expect to solve it here in the first iteration.  There's a 
> term used in this area called Domain of Interpretation (DOI), which is 
> essentially label metatdata used to interpret/translated labels between 
> systems.  It's something that can be added to the XML if/when needed, but 
> we don't need it now.
>
> The Labeled NFS and labeled networking projects are addressing similar 
> issues, and it's possible that one or both would be involved in 
> distributing sVirt across the network.
>
>
>   
>>>    <seclabel model='selinux'>
>>>       <policy>targeted</policy>
>>>       <value>system_u:object_r:virt_image_t:s0</value>
>>>    </seclabel>
>>>       
>>   that looks more homogeneous. i don't know hos that would map to
>> other security models, examples would be great
>>     
>
> I've cc'd Casey, who wrote Smack.  I'm not sure what the application of 
> Smack would be here (and Casey may not like the idea at all), but it is a 
> label-based MAC system.
>
>   

<seclabel model='Smack'>
   <value>_</value>
</seclabel>

Seems like a lot of mechanism to pass a string, but this is the 21st 
century.

> (The thread starts here:
> https://www.redhat.com/archives/libvir-list/2008-August/msg00740.html)
>
>
> - James
>

More information about the libvir-list mailing list