On 03/14/2012 01:32 AM, Alex Jia wrote: > I'm not sure whether you met a sanlock AVC error in your > /var/log/audit/audit.log, could you check it and provide your > selinux-policy version? in addition, you should turn on selinux bool > value for sanlock, for example, > > # getsebool -a|grep sanlock > virt_use_sanlock --> off > # setsebool -P virt_use_sanlock on > # getsebool -a|grep sanlock > virt_use_sanlock --> on Yuck - we have a documentation bug, since http://libvirt.org/locking.html doesn't mention virt_use_sanlock at all. What sort of AVCs are expected if the bool is false, and what security implications are there by setting it to true? For example, if virt_use_nfs is false, you can't use NFS storage for guest disk images (at least not until qemu adds better support for fd passing everywhere); but if it is true, then you are admitting that a compromised qemu guest can do whatever it wants to other files within the confines of your NFS mount point, rather than the normal sVirt guarantee that it can only touch the files that have been labeled for that guest - if you trust your guests, or use different NFS mount points per guest, then setting the bool to true won't pose a significant risk to you; if you don't trust your guests, then documenting the risks of this bool would be enough to convince me to use iSCSI or other shared storage alternative with more security guarantees even though it requires more administrative setup on my part. But I don't even know the risks of virt_use_sanlock to document them or what could be used as alternatives. -- Eric Blake eblake@xxxxxxxxxx +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
