On Monday 06 July 2009 18:22:42 James Morris wrote: > On Mon, 6 Jul 2009, Gene Czarcinski wrote: > > Neat! > > > > OK, this is starting to make more sense to me. I like the idea of using > > the MCS policy to protect guests from each other. > > These slides from LCA should help explain the design further: > http://namei.org/presentations/svirt-lca-2009.pdf > > There's also a google video of the talk: > http://video.google.com/videoplay?docid=5750618585157629496&hl=en > > Dan Walsh is giving a talk on the topic at Linuxcon in September: > http://linuxcon.linuxfoundation.org/meetings/1571 > > (which will be especially useful, as the code has evolved since the > initial design). Thank you one and all. With the provided pointers to documentation I now have a much better understanding of how sVirt is using MCS. When I originally saw that MCS was being used to restrict guest, I immediately thought it was a static implementation but did not see anything on the virtual disk image files so I thought it was not implemented yet. However, you use MCS dynamically when a guest is actually run ... this makes more sense and is far simpler to implement and manage than any static implementation.. I see that you "only" set categories for the virtual disk images and not the ISO image file ... at least this is what I see and hope this is true ... example: i OFTEN run two or three guests which booted into rescue mode from a single netinst CD image. I noticed that the SELinux rule for virt_image_t allows both read and write as it must. However, the SELinux rule for virt_content_t (which is used for ISO image files) also allows both read and write ... changing this to read-only makes more sense to me. I still believe that sVirt should not be changing the file context for ISO images (especially now that I see that categories are not set). One solution which would "scratch my itch" while still doing (more or less) what is now done is to add some global sVirt parameter to define what context to use and have this default to virt_content_t. It would also be nice if this could be overridden on a per-guest basis also. Note that I am only talking about files which would use virt_content_t since the "static" option mentioned in a different email addresses the virtual disk image file ... at least I think it does. BTW, it appears that sVirt picks a couple of non-zero random numbers to use for the category pair. True? If true, is any checking done so there are not any conflicts/reuse on different guests? [I am trying to avoid going to the ultimate documentation for any software ... the source code] Gene -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
