James Morris wrote:
On Fri, 29 Aug 2008, Daniel Veillard wrote:
2. The XML format for security labels needs to be extended to indicate
which security model is in use, and potentially carry model-specific
metadata. For SELinux, we may want to know what type of policy is active,
and later, be able to interpret labels generated on other systems.
I guess so far we didn't look at the interpretation of security
context in the case of migration to a different system. The problem
is that except for the base UNIX informations, they are likely to be
lost. Still i would expect that storage will have to be shared for
such migration, so in the end the case of migration of security context
values looks like quite unprobable, but maybe I don't see some of the
use cases (heterogenous server pools ?)
In the simplest case, we'll just be wanting to ensure that domains are
running with distinct labels for separation purposes, so that concept may
be possible to convey during migration.
As for specific labels (e.g. "privileged", "company-confidential" etc.),
this is a general problem to be solved for distributed MAC security, and
we would not expect to solve it here in the first iteration. There's a
term used in this area called Domain of Interpretation (DOI), which is
essentially label metatdata used to interpret/translated labels between
systems. It's something that can be added to the XML if/when needed, but
we don't need it now.
The Labeled NFS and labeled networking projects are addressing similar
issues, and it's possible that one or both would be involved in
distributing sVirt across the network.
<seclabel model='selinux'>
<policy>targeted</policy>
<value>system_u:object_r:virt_image_t:s0</value>
</seclabel>
that looks more homogeneous. i don't know hos that would map to
other security models, examples would be great
I've cc'd Casey, who wrote Smack. I'm not sure what the application of
Smack would be here (and Casey may not like the idea at all), but it is a
label-based MAC system.
<seclabel model='Smack'>
<value>_</value>
</seclabel>
Seems like a lot of mechanism to pass a string, but this is the 21st
century.
(The thread starts here:
https://www.redhat.com/archives/libvir-list/2008-August/msg00740.html)
- James
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list