[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: sVirt

From: Stephen Smalley <sds tycho nsa gov>
To: Gene Czarcinski <gene czarc net>
Cc: fedora-selinux-list redhat com
Subject: Re: sVirt
Date: Mon, 06 Jul 2009 14:46:13 -0400

On Mon, 2009-07-06 at 14:26 -0400, Gene Czarcinski wrote:
> Neat!
> 
> OK, this is starting to make more sense to me.  I like the idea of using the 
> MCS policy to protect guests from each other.
> 
> As far as I can see, the MCS policy stuff has not been implemented yet ... at 
> least with libvirt-0.6.2 ... I am still waiting for 0.6.5 to appear in Fedora 
> 11 updates-testing.  I hope this MCS policy stuff gets implemented for Fedora 
> 11 so I can give it a try.

It works for me on F11 out of the box, as described in:
http://fedoraproject.org/wiki/Features/SVirt_Mandatory_Access_Control#How_To_Test

If I start guest VMs via virt-manager or virsh, they get labeled with
unique MCS category pairs and their virtual disks get labeled
accordingly automatically.    And when I stop them, the disks get reset
to their original label and become inaccessible to any guest.

-- 
Stephen Smalley
National Security Agency

References:
- sVirt
  - From: Gene Czarcinski
- Re: sVirt
  - From: Gene Czarcinski
- Re: sVirt
  - From: Stephen Smalley
- Re: sVirt
  - From: Gene Czarcinski

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]