[libvirt] Re: XML representation of security labels

James Morris jmorris at namei.org
Fri Aug 29 07:13:23 UTC 2008 

On Fri, 29 Aug 2008, Daniel Veillard wrote:

> > > 2. The XML format for security labels needs to be extended to indicate 
> > > which security model is in use, and potentially carry model-specific 
> > > metadata.  For SELinux, we may want to know what type of policy is active, 
> > > and later, be able to interpret labels generated on other systems.
> 
>   I guess so far we didn't look at the interpretation of security
> context in the case of migration to a different system. The problem
> is that except for the base UNIX informations, they are likely to be
> lost. Still i would expect that storage will have to be shared for
> such migration, so in the end the case of migration of security context
> values looks like quite unprobable, but maybe I don't see some of the
> use cases (heterogenous server pools ?)

In the simplest case, we'll just be wanting to ensure that domains are 
running with distinct labels for separation purposes, so that concept may 
be possible to convey during migration.

As for specific labels (e.g. "privileged", "company-confidential" etc.), 
this is a general problem to be solved for distributed MAC security, and 
we would not expect to solve it here in the first iteration.  There's a 
term used in this area called Domain of Interpretation (DOI), which is 
essentially label metatdata used to interpret/translated labels between 
systems.  It's something that can be added to the XML if/when needed, but 
we don't need it now.

The Labeled NFS and labeled networking projects are addressing similar 
issues, and it's possible that one or both would be involved in 
distributing sVirt across the network.


> >    <seclabel model='selinux'>
> >       <policy>targeted</policy>
> >       <value>system_u:object_r:virt_image_t:s0</value>
> >    </seclabel>
> 
>   that looks more homogeneous. i don't know hos that would map to
> other security models, examples would be great

I've cc'd Casey, who wrote Smack.  I'm not sure what the application of 
Smack would be here (and Casey may not like the idea at all), but it is a 
label-based MAC system.

(The thread starts here:
https://www.redhat.com/archives/libvir-list/2008-August/msg00740.html)


- James
-- 
James Morris
<jmorris at namei.org>

More information about the libvir-list mailing list