On 04/08/2013 12:45 AM, yue wrote: > hi,all > i now test selinux(enforcing). i assign a nfs-image to a VM, then start it. > at the beginning i set virt_use_nfs on, its image does not has a MCS corresponding to qemu-kvm process's MCS > then i remount nfs with -o context="system_u:object_r:virt_image_t:s0" , restart VM, its image does not has a corresponding MCS. > #ls -lZ > ####system_u:object_r:virt_image_t:s0 803003d2-3a2b-4581-a7cb-dc7fac06e7af > why this happen? if this is right for NFS? NFS doesn't support SELinux labels. Setting 'virt_use_nfs on' is your way of telling SELinux 'I acknowledge that I can't set MCS labels on NFS files, and that I therefore have a security risk that by turning this on, a rogue guest could corrupt ANY file in NFS rather than just the files assigned to the guest'. There are plans under way to teach qemu how to pass NFS files in by file descriptor, instead of letting qemu open() them; if these plans ever reach completion, then the 'virt_use_nfs on' option will no longer be necessary - it will be possible to use SELinux to prevent qemu from directly open()ing any file that lives on NFS, and libvirt will use fd passing to tell qemu which NFS files it may access. But that probably still won't happen in time for the upcoming qemu 1.5 release. Meanwhile, what you are observing is correct - it is the best we can do with existing NFS restrictions. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list