On Thu, Aug 27, 2015 at 09:37:13AM +0200, Luc de Louw wrote: > Hi there, > > Quoting https://libvirt.org/drvqemu.html > > "Disks that are marked as <shared> will get a generic label > system_u:system_r:svirt_image_t:s0 allowing all guests read/write access > them" > > The problem now is that the shared disks can potentially being accessed by > other VMs which is not really nice. > > Is it safe to remove the shared parameter in the libvirt config and use > static labeling instead? NB, <shared> is intended for the case where multiple VMs are accessing the same disk volume. So whatever label is used needs to allow multiple VMs to access it. What we really need is some kind of way to have group labels - eg a way to say VMs X, Y & Z can access the disk, but not VMs A, B & C, etc. AFAIK, there's no easy way to achieve this with SELinux MCS levels, hence why libvirt has to just use a generic allow-all label for shared disks. You can provide custom labels for any disks on a per-disk basis using the <seclabel> XML element inside the <source> tag for the disk in question. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
