[libvirt] [PATCH 0/7] security: Allow disabling security per VM

[Daniel P. Berrange]

On Wed, Jan 12, 2011 at 12:22:56PM -0500, Cole Robinson wrote:
> Enabling a security driver in qemu.conf is currently all or nothing.
> The option to disable security on a per VM basis can be a useful debugging
> tool or work around for frustrated users.
> 
> Patches 1-3 and 5-6 are prep and cleanup work. Patch 4 fixes an
> easily triggerable segfault when defining a domain in qemu. Patch 7
> is the actual feature.

Hmm, I can understand the motivation for wanting to allow
users to disable security per VM. From the POV of a security
person it is a bad idea to allow this capability to be used
by default since running one single unconfined VM compromises
the entire security model.  As a host admin, we need to be
able to enforce that every single VM launched is always running
with security model active, and not allow libvirt admins to
override that decision at all.

Thus a default libvirt install would have to forbid any attempt
to run a VM with a secmodel=none, and reject with an error.
It would have to require a host level configuration change to
allow running VMs without a secmodel. Unfortunately once you
require this you might as well just be changing the existing
config param in qemu.conf for libvirtd as a whole.

If a user is having trouble, and needs to debug then I think
it is best to just 'setenforce 0' and do the debugging.


NB, some of your patches in this series are useful regardless,
but I don't think we should allow a tunable to turn off
security per VM.

Regards,
Daniel