On Fri, Mar 04, 2011 at 04:53:20PM +0100, Stephan Mueller wrote: > Hi, > > I would like to propose the following patch for the libvirtd.conf file to > document sVirt and its usage. If you have suggestions to add better wording, > please let me know. > > (If you reply with comments, could you please CC me as I am not on the list.) > > - > +################################################################# > +# > +# sVirt protection mechanisms > +# > +# The following options specify the separation of virtual machines > +# based on SELinux categories. As virtual machines execute with the > +# same user ID, an additional separation functionality is necessary > +# to prevent different virtual machines from interfering with each other > +# in case the simulation environment provided with QEMU is > +# successfully broken by a rogue guest. > +# > +# The sVirt protection mechanism implements two modes of operation: > +# dynamic assignment of SELinux categories > +# static assignment of SELinux labels > +# > +# A dynamic assignment of categories implies that libvirt generates > +# a unique SELinux category that the virtual machine and its resources > +# are assigned to during the instantiation of the virtual machine. > +# SELinux ensures that each virtual machine can only access resources > +# labeled with the same category as the virtual machine itself. > +# > +# A static assignment of SELinux labels imply that the administrator > +# manually configures the SELinux label of the virtual machine in > +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example: > +# > +# <seclabel model='selinux' type="static"> > +# <label>system_u:system_r:qemu_t:s0:c210.c502</label> > +# </seclabel> > +# > +# The <label> tag specifies a full SELinux label the virtual machine > +# will be executed with. > +# > +# In addition to the setting of the SELinux label of the virtual > +# machine, the administrator must manually set the SELinux label > +# of all resources the virtual machine accesses appropriately. > +# > +# NOTE: The dynamic assignment of categories is only intended for > +# systems with the targeted SELinux policy. Systems with the MLS > +# SELinux policy MUST use the static assignment of labels. > +# It is possible that static assignment is configured for > +# systems with the targeted policy as well. > +# > +# dynamic_ownership: 0 == static assignment of SELinux labels > +# 1 == dynamic assignment of SELinux labels > +dynamic_ownership=1 > +# This is not what the dynamic_ownership parameter does - it actually has nothing todo with SELinux / sVirt. This determines whether libvirt will set the user/group DAC ownership on the disk images to match the uid/gid the QEMU process runs under. Whether libvirt uses static or dynamic SELinux labels is entirely controlled by the guest XML config. This is explained a little bit in this webpage: http://libvirt.org/drvqemu.html#securitysvirt though you might wish to improve the wording a little more (the web pages are stored in the docs/ directory of GIT. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list