On 07/07/2009 01:06 PM, Gene Czarcinski wrote:
On Monday 06 July 2009 18:22:42 James Morris wrote:
On Mon, 6 Jul 2009, Gene Czarcinski wrote:
Neat!
OK, this is starting to make more sense to me. I like the idea of using the MCS policy to protect guests from each other.
These slides from LCA should help explain the design further: http://namei.org/presentations/svirt-lca-2009.pdf
There's also a google video of the talk: http://video.google.com/videoplay?docid=5750618585157629496&hl=en
Dan Walsh is giving a talk on the topic at Linuxcon in September: http://linuxcon.linuxfoundation.org/meetings/1571
(which will be especially useful, as the code has evolved since the initial design).
Thank you one and all. With the provided pointers to documentation I now have a much better understanding of how sVirt is using MCS.
When I originally saw that MCS was being used to restrict guest, I immediately thought it was a static implementation but did not see anything on the virtual disk image files so I thought it was not implemented yet. However, you use MCS dynamically when a guest is actually run ... this makes more sense and is far simpler to implement and manage than any static implementation..
I see that you "only" set categories for the virtual disk images and not the ISO image file ... at least this is what I see and hope this is true ... example: i OFTEN run two or three guests which booted into rescue mode from a single netinst CD image.
I noticed that the SELinux rule for virt_image_t allows both read and write as it must.
However, the SELinux rule for virt_content_t (which is used for ISO image files) also allows both read and write ... changing this to read-only makes more sense to me.
These are the rules in F11, it only allows read
# sesearch --allow -s svirt_t -t virt_content_t Found 2 semantic av rules: allow svirt_t virt_content_t : file { ioctl read getattr lock open } ; allow svirt_t virt_content_t : dir { ioctl read getattr lock search open } ;
I still believe that sVirt should not be changing the file context for ISO images (especially now that I see that categories are not set). One solution which would "scratch my itch" while still doing (more or less) what is now done is to add some global sVirt parameter to define what context to use and have this default to virt_content_t. It would also be nice if this could be overridden on a per-guest basis also.
Note that I am only talking about files which would use virt_content_t since the "static" option mentioned in a different email addresses the virtual disk image file ... at least I think it does.
BTW, it appears that sVirt picks a couple of non-zero random numbers to use for the category pair. True? If true, is any checking done so there are not any conflicts/reuse on different guests? [I am trying to avoid going to the ultimate documentation for any software ... the source code]
Well it does check if the MCS label is unique among svirt images and it makes sure that the to numbers are different. s0:c1,c1 == so:c1 which is not allowed.
Gene
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list