[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] dynamic_ownership documentation



Am Freitag, 4. März 2011, um 17:35:03 schrieb Daniel P. Berrange:

Hi Daniel,

> On Fri, Mar 04, 2011 at 04:53:20PM +0100, Stephan Mueller wrote:
> > Hi,
> > 
> > I would like to propose the following patch for the libvirtd.conf file to
> > document sVirt and its usage. If you have suggestions to add better
> > wording, please let me know.
> > 
> > (If you reply with comments, could you please CC me as I am not on the
> > list.)
> > 
> > -
> > +#################################################################
> > +#
> > +# sVirt protection mechanisms
> > +#
> > +# The following options specify the separation of virtual machines
> > +# based on SELinux categories. As virtual machines execute with the
> > +# same user ID, an additional separation functionality is necessary
> > +# to prevent different virtual machines from interfering with each other
> > +# in case the simulation environment provided with QEMU is
> > +# successfully broken by a rogue guest.
> > +#
> > +# The sVirt protection mechanism implements two modes of operation:
> > +#     dynamic assignment of SELinux categories
> > +#     static assignment of SELinux labels
> > +#
> > +# A dynamic assignment of categories implies that libvirt generates
> > +# a unique SELinux category that the virtual machine and its resources
> > +# are assigned to during the instantiation of the virtual machine.
> > +# SELinux ensures that each virtual machine can only access resources
> > +# labeled with the same category as the virtual machine itself.
> > +#
> > +# A static assignment of SELinux labels imply that the administrator
> > +# manually configures the SELinux label of the virtual machine in
> > +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example:
> > +#
> > +#  <seclabel model='selinux' type="static">
> > +#    <label>system_u:system_r:qemu_t:s0:c210.c502</label>
> > +#  </seclabel>
> > +#
> > +# The <label> tag specifies a full SELinux label the virtual machine
> > +# will be executed with.
> > +#
> > +# In addition to the setting of the SELinux label of the virtual
> > +# machine, the administrator must manually set the SELinux label
> > +# of all resources the virtual machine accesses appropriately.
> > +#
> > +# NOTE: The dynamic assignment of categories is only intended for
> > +#       systems with the targeted SELinux policy. Systems with the MLS
> > +#       SELinux policy MUST use the static assignment of labels.
> > +#       It is possible that static assignment is configured for
> > +#       systems with the targeted policy as well.
> > +#
> > +# dynamic_ownership: 0 == static assignment of SELinux labels
> > +#                    1 == dynamic assignment of SELinux labels
> > +dynamic_ownership=1
> > +#
> 
> This is not what the dynamic_ownership parameter does - it actually
> has nothing todo with SELinux / sVirt.  This determines whether
> libvirt will set the user/group DAC ownership on the disk images
> to match the uid/gid the QEMU process runs under.
> 
I see. Thanks for the clarification.

> Whether libvirt uses static or dynamic SELinux labels is entirely
> controlled by the guest XML config. This is explained a little bit
> in this webpage:
> 
>    http://libvirt.org/drvqemu.html#securitysvirt
> 
> though you might wish to improve the wording a little more (the web
> pages are stored in the docs/ directory of GIT.

This statement there is not fully clear. Can you please briefly state how do 
you switch between dynamic and static labeling.
> 
> Regards,
> Daniel


Ciao
Stephan

-- 
       Stephan Müller Stephan Mueller atsec com +49 172 216 55 78
atsec information security GmbH, Steinstraße 70, 81667 München, Germany
         Geschäftsführer: Salvatore la Pietra, Staffan Persson
                   HRB: 129439 (Amtsgericht München)
 atsec it security news blog - atsec-information-security.blogspot.com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]