-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/11/2011 01:33 PM, Stephen Smalley wrote: > On Mon, 2011-04-11 at 11:24 -0400, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 04/11/2011 09:40 AM, Stephen Smalley wrote: >>> On Sun, 2011-04-10 at 14:12 -0300, Ramon de Carvalho Valle wrote: >>>> However, I and Dan Walsh (who kindly informed me about libvirt) both >>>> agree that dynamic labeling is more secure than manual labeling using >>>> MLS policy, for virtual machine environments. >>> >>> Can you elaborate on what your concern is there? If it is merely that >>> two VMs at the same level are not isolated via the MLS policy, then that >>> isn't a MLS concern, and you could use TE instead to isolate the VMs of >>> the same level. >>> >> I think what he is after is the convenience of dynamic labeling, for >> isolation. Yes he could create new types for each instance, which every >> virtual machine would need, this could cause a potential explosion in >> the number of types and would be subject to failure. It would be >> putting a large onus on the Admin to manage all of these types. The >> real beauty of dynamic labeling is that it just works. Yes, exactly. > > The types could be automatically generated from a template, and managed > by libvirt in much the same way it presently manages categories. > > In any event, he can do the same thing by use of categories rather than > introducing an incomparable set of sensitivities, and that wouldn't > require any changes to the policy toolchain or kernel security server. > I know it may be too intrusive to the policy toolchain. However, there are a number of benefits that may be taken in consideration. This allows the categorization of processes representing virtual machine environments in different sensitivities within a pre-defined standard set which belongs only this type of processes-Instead of manually reserving a non standard range of categories. Also, this may allow virtualisation software to act in a well defined environment instead of each one adopting custom different solutions (i.e. non standard range of categories, dynamic labeling, different types for each instance). Also, as Daniel said, this may allow the use of dynamic labeling within one of these sensitivities (i.e. sv0), and allow custom processes representing virtual machine environments to have static labels in the same or other sensitivities with higher privileges. No other types of processes should have access to these sensitivities unless explicitly stated, which may be the case of libvirt. This can be an entirely optional feature aimed to virtualised environments and opens the possibility for developing new features that could benefit from this additional level of granularity. - -- Ramon de Carvalho Valle Security Engineer IBM Linux Technology Center rcvalle@xxxxxxxxxxxxxxxxxx http://rcvalle.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2jNxIACgkQkcIYeh81wLk/cACfefbk0X60e5e4NOWC3yQrygV8 /28An3xokMo4uCQ6lxZqlV1NhzuP2+NB =qsVc -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
