Am Freitag, 4. März 2011, um 17:35:03 schrieb Daniel P. Berrange: Hi Daniel, > On Fri, Mar 04, 2011 at 04:53:20PM +0100, Stephan Mueller wrote: > > Hi, > > > > I would like to propose the following patch for the libvirtd.conf file to > > document sVirt and its usage. If you have suggestions to add better > > wording, please let me know. > > > > (If you reply with comments, could you please CC me as I am not on the > > list.) > > > > - > > +################################################################# > > +# > > +# sVirt protection mechanisms > > +# > > +# The following options specify the separation of virtual machines > > +# based on SELinux categories. As virtual machines execute with the > > +# same user ID, an additional separation functionality is necessary > > +# to prevent different virtual machines from interfering with each other > > +# in case the simulation environment provided with QEMU is > > +# successfully broken by a rogue guest. > > +# > > +# The sVirt protection mechanism implements two modes of operation: > > +# dynamic assignment of SELinux categories > > +# static assignment of SELinux labels > > +# > > +# A dynamic assignment of categories implies that libvirt generates > > +# a unique SELinux category that the virtual machine and its resources > > +# are assigned to during the instantiation of the virtual machine. > > +# SELinux ensures that each virtual machine can only access resources > > +# labeled with the same category as the virtual machine itself. > > +# > > +# A static assignment of SELinux labels imply that the administrator > > +# manually configures the SELinux label of the virtual machine in > > +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example: > > +# > > +# <seclabel model='selinux' type="static"> > > +# <label>system_u:system_r:qemu_t:s0:c210.c502</label> > > +# </seclabel> > > +# > > +# The <label> tag specifies a full SELinux label the virtual machine > > +# will be executed with. > > +# > > +# In addition to the setting of the SELinux label of the virtual > > +# machine, the administrator must manually set the SELinux label > > +# of all resources the virtual machine accesses appropriately. > > +# > > +# NOTE: The dynamic assignment of categories is only intended for > > +# systems with the targeted SELinux policy. Systems with the MLS > > +# SELinux policy MUST use the static assignment of labels. > > +# It is possible that static assignment is configured for > > +# systems with the targeted policy as well. > > +# > > +# dynamic_ownership: 0 == static assignment of SELinux labels > > +# 1 == dynamic assignment of SELinux labels > > +dynamic_ownership=1 > > +# > > This is not what the dynamic_ownership parameter does - it actually > has nothing todo with SELinux / sVirt. This determines whether > libvirt will set the user/group DAC ownership on the disk images > to match the uid/gid the QEMU process runs under. > I see. Thanks for the clarification. > Whether libvirt uses static or dynamic SELinux labels is entirely > controlled by the guest XML config. This is explained a little bit > in this webpage: > > http://libvirt.org/drvqemu.html#securitysvirt > > though you might wish to improve the wording a little more (the web > pages are stored in the docs/ directory of GIT. This statement there is not fully clear. Can you please briefly state how do you switch between dynamic and static labeling. > > Regards, > Daniel Ciao Stephan -- Stephan Müller Stephan.Mueller@xxxxxxxxx +49 172 216 55 78 atsec information security GmbH, Steinstraße 70, 81667 München, Germany Geschäftsführer: Salvatore la Pietra, Staffan Persson HRB: 129439 (Amtsgericht München) atsec it security news blog - atsec-information-security.blogspot.com -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list