[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

From: James Morris <jmorris namei org>
To: "Daniel P. Berrange" <berrange redhat com>
Cc: libvir-list redhat com, selinux tycho nsa gov
Subject: Re: [libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization
Date: Tue, 12 Aug 2008 21:25:51 +1000 (EST)

On Tue, 12 Aug 2008, Daniel P. Berrange wrote:

>         Do we instead add the info the udev rules, so when /dev is
>         populated at boot time by udev the device nodes get the desired
>         initial labelling ?  Or do we manually  chcon() the device
>         at the time we boot the VM ?

Dan Walsh has mentioned wanting to label the device at VM launch so that 
MCS labels can be dynamically assigned.  This raises some other possible 
issues such as revoking any existing access (Linux doesn't have general 
revocation) and having the security of the system depend on whatever is 
performing the relabel (although we can enforce relabelfrom/relabelto 
permissions).

I wonder if existing work/concepts related to MLS device allocation would 
be useful here.

See:
http://sourceforge.net/projects/devallocator/

- James
-- 
James Morris
<jmorris namei org>

Follow-Ups:
- Re: [libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization
  - From: Daniel J Walsh

References:
- [libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization
  - From: James Morris
- Re: [libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization
  - From: Daniel P. Berrange

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]