On Mon, Dec 07, 2009 at 06:09:55PM +0100, Joanna Rutkowska wrote: > > Also, SELinux seems to me like a step into the wrong direction. It not > only adds complexity to the already-too-complex kernel, but requires > complex configuration. See e.g. this paper[1] for a nice example of how > to escape SE-sandboxed qemu on FC8 due to SELinux policy misconfiguration. Things have changed alot since the time the that Xen SELinux policy was written. The Xen policy was always a tradeoff between usability & security sine the XenD managment tools were playing no part in the configuration, leaving it upto the administrator. With KVM & SELinx, the management tools play an active part in configuration, removing this burden from the adminsitrator. Each VM runs under a SELinux context with a dedicated MLS category, and the resources the VM is assigned have their labelling set to match. The guest policy only allows it access to resources with a matching MLS level, so it not gain access to anything the administrator has not explicitly granted in the VM's configuration. This is actually simpler for administrators, since they no longer need to manage labelling themselves, while offering greater protection between VMs which was also not possible with the old Xen policy Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
