[libvirt] RFC: sVirt disk isolation with network based storage

[Paul Moore]

On Thursday, August 21, 2014 10:48:05 AM Daniel J Walsh wrote:
> I think we should setup a meeting to discuss this and figure out our option.

Sorry I'm slow to the party, I'm at LSS/LinuxCon this week and the network has 
been fairly spotty.

> We need a mechanism for libvirt to send the labels of the process and
> images to the remote server and then we need an enforcement mechanism to
> only allow the process label to interact with the file image.  SELinux could
> do this if each vm has a separate process running on the server interacting
> with the image.  Otherwise the server needs to do some kind of enforcement
> on its own.
> 
> We could use some form of labeled networking for transmitting the MCS
> Label of qemu to the server or we would need to extend the protocol to
> send the label down.
> 
> There is two ways to handle labeled networking.The most common labeling
> standard,CIPSO, only sends the MCS portion of the label.  The second
> form can send the entire label of the process, but it is seldom used and
> requires Labeled IPSEC.

As one would expect, neither CIPSO or labeled IPsec are prefect, but they are 
really our only options for conveying labels across a network - unless we want 
to augment/extend RBD, which I know almost nothing about (a quick search makes 
me think this is Ceph's remote storage protocol).

Daniel (Mr. Libvirt, not Mr. SELinux), can you provide a quick overview of 
RBD, with bonus points for information on who controls the protocol 
(Inktank/RH or IETF) and if it offers any sort of extensibility (in other 
words, is there any hope for us to add label information to the protocol).

-- 
paul moore
security and virtualization @ redhat