[libvirt-users] libvirt with sanlock

Eric Blake eblake at redhat.com
Wed Mar 14 10:12:00 UTC 2012


On 03/14/2012 01:32 AM, Alex Jia wrote:
> I'm not sure whether you met a sanlock AVC error in your
> /var/log/audit/audit.log, could you check it and provide your
> selinux-policy version? in addition, you should turn on selinux bool
> value for sanlock, for example,
> 
> # getsebool -a|grep sanlock
> virt_use_sanlock --> off
> # setsebool -P virt_use_sanlock on
> # getsebool -a|grep sanlock
> virt_use_sanlock --> on

Yuck - we have a documentation bug, since
http://libvirt.org/locking.html doesn't mention virt_use_sanlock at all.
 What sort of AVCs are expected if the bool is false, and what security
implications are there by setting it to true?

For example, if virt_use_nfs is false, you can't use NFS storage for
guest disk images (at least not until qemu adds better support for fd
passing everywhere); but if it is true, then you are admitting that a
compromised qemu guest can do whatever it wants to other files within
the confines of your NFS mount point, rather than the normal sVirt
guarantee that it can only touch the files that have been labeled for
that guest - if you trust your guests, or use different NFS mount points
per guest, then setting the bool to true won't pose a significant risk
to you; if you don't trust your guests, then documenting the risks of
this bool would be enough to convince me to use iSCSI or other shared
storage alternative with more security guarantees even though it
requires more administrative setup on my part.  But I don't even know
the risks of virt_use_sanlock to document them or what could be used as
alternatives.

-- 
Eric Blake   eblake at redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20120314/90735a36/attachment.sig>


More information about the libvirt-users mailing list