On 07/07/2009 01:06 PM, Gene Czarcinski wrote:
On Monday 06 July 2009 18:22:42 James Morris wrote:
On Mon, 6 Jul 2009, Gene Czarcinski wrote:
Neat!
OK, this is starting to make more sense to me. I like the idea of using
the MCS policy to protect guests from each other.
These slides from LCA should help explain the design further:
http://namei.org/presentations/svirt-lca-2009.pdf
There's also a google video of the talk:
http://video.google.com/videoplay?docid=5750618585157629496&hl=en
Dan Walsh is giving a talk on the topic at Linuxcon in September:
http://linuxcon.linuxfoundation.org/meetings/1571
(which will be especially useful, as the code has evolved since the
initial design).
Thank you one and all. With the provided pointers to documentation I now have
a much better understanding of how sVirt is using MCS.
When I originally saw that MCS was being used to restrict guest, I immediately
thought it was a static implementation but did not see anything on the virtual
disk image files so I thought it was not implemented yet. However, you use MCS
dynamically when a guest is actually run ... this makes more sense and is far
simpler to implement and manage than any static implementation..
I see that you "only" set categories for the virtual disk images and not the
ISO image file ... at least this is what I see and hope this is true ...
example: i OFTEN run two or three guests which booted into rescue mode from a
single netinst CD image.
I noticed that the SELinux rule for virt_image_t allows both read and write as
it must.
However, the SELinux rule for virt_content_t (which is used for ISO image
files) also allows both read and write ... changing this to read-only makes
more sense to me.
These are the rules in F11, it only allows read
# sesearch --allow -s svirt_t -t virt_content_t
Found 2 semantic av rules:
allow svirt_t virt_content_t : file { ioctl read getattr lock open } ;
allow svirt_t virt_content_t : dir { ioctl read getattr lock search
open } ;
I still believe that sVirt should not be changing the file context for ISO
images (especially now that I see that categories are not set). One solution
which would "scratch my itch" while still doing (more or less) what is now
done is to add some global sVirt parameter to define what context to use and
have this default to virt_content_t. It would also be nice if this could be
overridden on a per-guest basis also.
Note that I am only talking about files which would use virt_content_t since
the "static" option mentioned in a different email addresses the virtual disk
image file ... at least I think it does.
BTW, it appears that sVirt picks a couple of non-zero random numbers to use
for the category pair. True? If true, is any checking done so there are not
any conflicts/reuse on different guests? [I am trying to avoid going to the
ultimate documentation for any software ... the source code]
Well it does check if the MCS label is unique among svirt images and it
makes sure that the to numbers are different. s0:c1,c1 == so:c1 which
is not allowed.
Gene
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
