[libvirt] XML representation of security labels

James Morris jmorris at namei.org
Fri Aug 29 03:32:27 UTC 2008 

As part of the sVirt effort, I'm investigating how and when to label 
the resources accessed by domains.

There is already some support for querying security labels in libvirt, 
although it does not seem to be widely used as yet.

For storage pool XML descriptors, there's a permissions element per
http://libvirt.org/formatstorage.html :

    <permissions>
        <owner>0744</owner>
        <group>0744</group>
        <mode>0744</mode>
        <label>virt_image_t</label>
    </permissions>

The label element in this is currently assumed by libvirt to be an SELinux 
security label obtainable via getfilecon(3).

There are a couple of issues here:

1. We should probably not build security model specific code directly into 
the library.  It's more flexible and also cleaner to abstract the security 
model out.  So, I suggest making a plugin scheme similar to those already 
present in libvirt, where a security model can register a driver to handle 
abstracted operations like "getSecurityLabel".


2. The XML format for security labels needs to be extended to indicate 
which security model is in use, and potentially carry model-specific 
metadata.  For SELinux, we may want to know what type of policy is active, 
and later, be able to interpret labels generated on other systems.

In this case, I suggest we deprecate the existing label element and, if 
present, assume it's a plain SELinux context (or perhaps ignore it).

I'd suggest we implement a new label element to avoid breaking 
compatibility and to avoid potential confusion with other types of device 
labels (e.g. as you might see via /dev/disk/by-label).

So, how about the following:

   <seclabel>

       <model>

           <!-- model-specific elements in here, to be handled by 
                named security driver, in this case "selinux" -->

           <selinux>
               <type>targeted</type>
           </selinux>

       </model>

       <value>system_u:object_r:virt_image_t:s0</value>

   </seclabel>


The model and value elements would be mandatory, but possibly empty.

The seclabel element would be a child of the permissions element:

    <permissions>
        <owner>0744</owner>
        <group>0744</group>
        <mode>0744</mode>
        <seclabel>
            <model>
                <selinux>
                    <type>targeted</type>
                </selinux>
             </model>
             <value>system_u:object_r:virt_image_t:s0</value>
         </seclabel>
    </permissions>

It would also likely be reused for labeling domains themselves, and other 
resources.

Thoughts?



- James
-- 
James Morris
<jmorris at namei.org>

More information about the libvir-list mailing list