sVirt

[Stephen Smalley]

On Mon, 2009-07-06 at 09:11 -0400, Gene Czarcinski wrote:
> On Sunday 05 July 2009 11:55:04 Paul Howarth wrote:
> > On Sun, 5 Jul 2009 11:36:05 +0100
> >
> > "Daniel P. Berrange" <berrange at redhat.com> wrote:
> > > > 4. For ISO files, maybe there should be a new/special file context
> > > > which allows sharing between processes ... it would be explicit but
> > > > it would allow sharing ... maybe something like "public_content_t".
> > >
> > > There is already a label for read only guest images
> > >
> > >   system_u:object_r:svirt_image_t:s0
> > >
> > > it shouldn't be much work for you to add a custom SELinux plugin that
> > > gives httpd_t access to content labelled svirt_image_t. Ask the
> > > fedora-selinux mailing list for assistance if needed
> >
> > Couldn't an ISO image that's already public_content_t (or even
> > public_content_rw_t) be left alone, as that type is already well-known
> > and used for sharing this type of content by various means?
> 
> Yes, exactly my point.
> 
> I believe that changing any file context should not be done.  Depend on the 
> rules in the security policy or any added with semanage apply.  And then let 
> something like public_content_t and public_content_rw_t be OK too.
> 
> Mmmm, this makes so much sense that I think I will bugzilla this.

The reason that it presently relabels the disk image is that it is
auto-generating a unique security context (unique category pair) for
each VM, and then assigning that category pair to both the qemu-kvm
process and to the disk image to isolate instances from one another.
There is also a static configuration option where you can specify the
desired context for the VM, in which case it shouldn't relabel the disk
image.

-- 
Stephen Smalley
National Security Agency