[libvirt] RFC: extending sVirt to confine host apps which talk to libvirtd

Daniel P. Berrange berrange at redhat.com
Mon Jun 13 17:09:23 UTC 2011


On Thu, Jun 09, 2011 at 11:41:10AM -0500, Jamie Strandboge wrote:
> On Thu, 2011-06-09 at 11:15 -0400, Eric Paris wrote:
> > On Mon, 2011-06-06 at 15:41 +0100, Daniel P. Berrange wrote:
> > > What follows is a document outlining some thoughts I've been having
> > > on extending sVirt to allow confinement of applications which talk
> > > to libvirtd on the host, primarily focusing on use of SELinux, but
> > > also allowing a simple non-SElinux RBAC mechanism.
> > 
> > Are we reinventing a lot of PolicyKit?  I don't think policykit does a
> > good job of using SELinux but it does attempt to solve most of the same
> > problem you are attempting to solve here.  I just want to make sure it
> > was looked at, even if I like the approach you are taking here more...
> 
> I've not had time to dig deep into this, but a concern I had is how this
> might affect other security drivers (in my case, specifically AppArmor,
> but DAC alone might also be something to think about as well as any
> future drivers like for SMACK or Tomoyo). Using something like
> PolicyKit, if it is appropriate, could allow non-SElinux drivers to
> benefit as well.

I already addressed the issue of non-SELinux users in my original
mail:

 [quote]
  9. Create a simple impl of the access control APIs which defines
     roles for groups of user identities, and grants privileges to
     each role based on the operation names. This allows for simple
     testing of internal infrastructure, and an RBAC mechanism for
     users who lack SELinux in their OS.
 [/quote]

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list