[libvirt] Re: [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday 12 August 2008 5:57:19 am James Morris wrote:
> On Tue, 12 Aug 2008, Russell Coker wrote:
> > One thing that should be noted is the labelled network benefits. 
> > If you had several groups of virtual servers running at different
> > levels and wanted to prevent information leaks then having SE Linux
> > contexts and labelled networking could make things a little easier.
> >
> > I have had some real challenges in managing firewall rules for Xen
> > servers. My general practice is to try and make sure that there is
> > no real need for firewalls between hosts on the same hardware (not
> > that I want it this way - it's what technical and management issues
> > force me to).
> >
> > So for example if I have an ISP Xen server running virtual machines
> > for a number of organisations I make sure that they are either all
> > within a similar trust boundary (IE affiliated groups) or all
> > mutually untrusting (IE other IP addresses in the same net-block
> > are treated the same as random hosts on the net).
>
> Thanks for the insights -- we expect to address the virtual
> networking aspect in some way.

I think we could do some pretty cool things here with the new, well 
2.6.25 new, network ingress/egress controls and restricting VM 
instances to specific interfaces and/or networks.  However, we would 
need to settle the basic VM label management issues first.

-- 
paul moore
linux @ hp

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]