Re: sVirt

["Daniel P. Berrange" <berrange redhat com>]

On Sat, Jul 04, 2009 at 12:13:47PM -0400, Gene Czarcinski wrote:
> 1. I am not sure what should be done with real devices such as /dev/sr0.

sVirt does not distinguish based on device type, rather it goes off the
disk mode. Exclusive Read/write disks get a label with an mcs level specific
to the guest, Read/write shared get a label with an mcs level of 0, and
read-only disks get a label system_u:object_r:svirt_image_t:s0 which allows
read access.

> 2. For files on read-only file systems, don't do anything ... they are protected 
> about as much as they can be.

As has been mentioned in the bug you raised several days ago, this issue 
should already be addressed

  https://bugzilla.redhat.com/show_bug.cgi?id=507555

> 4. For ISO files, maybe there should be a new/special file context which allows 
> sharing between processes ... it would be explicit but it would allow sharing 
> ... maybe something like "public_content_t".

There is already a label for read only guest images 

  system_u:object_r:svirt_image_t:s0

it shouldn't be much work for you to add a custom SELinux plugin that
gives httpd_t access to content labelled svirt_image_t. Ask the fedora-selinux
mailing list for assistance if needed

> 5. Maybe implement a switch which disables SELinux enforcing (and does not 
> change the file context of ISO files) for Fedora-virtualization.

Already present /etc/libvirt/qemu.conf , change  security_driver="none"

> 6.  Maybe the switch should be by guest.

Easy enough to add - file a bug if you want this capability.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|