On 10/05/2013 05:52 AM, Matthew Miller wrote: > On Fri, Oct 04, 2013 at 06:16:18PM -0400, Daniel J Walsh wrote: >>> Another question, probably a dumb one. Will this work with the lxc-tools >>> approach or just with libvirt-lxc? >> We can work with it on the lxc version, but I am not sure if it will work >> easily. > > But libvirt _does_ make it easy? Again, sorry if these are silly questions. > :) I haven't tried containers yet, as Dan stated libvirt has always supported confinement of guests via sVirt. If you want to do a quick test: $ ls -lZ /var/lib/libvirt/images/fed18.qcow2 -rw-r--r--. qemu qemu system_u:object_r:svirt_image_t:s0:c920,c980 /var/lib/libvirt/images/fed18.qcow2 $ ps -eZ | grep qemu system_u:system_r:svirt_t:s0:c920,c980 30017 ? 00:00:16 qemu-system-x86 As you can notice above, QEMU process and its associated disk image have a *unique* SELinux label. So, even if the QEMU process is compromised, it cannot spill over to other processes. /kashyap -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security