Re: [RFC] sVirt v0.10 - initial prototype

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: James Morris <jmorris@namei.org>,
	libvir-list@redhat.com, Daniel Veillard <veillard@redhat.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	selinux@tycho.nsa.gov
Subject: Re: [RFC] sVirt v0.10 - initial prototype
Date: Tue, 21 Oct 2008 13:50:20 -0400	[thread overview]
Message-ID: <48FE165C.3040303@redhat.com> (raw)
In-Reply-To: <20081021162217.GN16442@redhat.com>

Daniel P. Berrange wrote:
> On Tue, Oct 21, 2008 at 09:57:15AM -0400, Daniel J Walsh wrote:
>> James Morris wrote:
> 
> [snip]
> 
>>> The domain security label configuration format is as follows:
>>>
>>> # virsh dumpxml sys1
>>> <domain>
>>>     ....
>>>   <seclabel model='selinux'>
>>>     <label>system_u:system_r:virtd_t:s0</label>
>>>     <policytype>targeted</policytype>
>>>   </seclabel>
>>> </domain>
>>>
>>> It's possible to query the security label of a running domain via virsh:
>>>
>>> # virsh dominfo sys1
>>> Id:             1
>>> Name:           sys1
>>> UUID:           fa3c8e06-0877-2a08-06fd-f2479b7bacb4
>>> OS Type:        hvm
>>> State:          running
>>> CPU(s):         1
>>> CPU time:       11.4s
>>> Max memory:     524288 kB
>>> Used memory:    524288 kB
>>> Autostart:      disable
>>> Security label: system_u:system_r:virtd_t:s0 (selinux/targeted/enforcing)
> 
> [snip]
> 
>> Why do we care about the policy type?  Policy type is a fairly
>> meaningless object.  If you are trying to figure out if the host machine
>> is valid to run a virtual machine you should just check whether the type
>> is valid on the machine,  That way if I define minimum policy with virt
>> support on one host and targeted policy with virt support on another
>> machine, both would work.  Finally I think it might be ok for the
>> administrator to request that this virtual machine would only run on a
>> machine with SELinux in enforcing mode. For example if you had a fairly
>> untrusted virtual machine you would want to ensure that the machine was
>> enforcing SELinux before it got started.
> 
> Who/what should be making such a policy decision though ? Seems like the
> management app using libvirt would want to do that - perhaps even making
> that decison before defining the existance of the VM on the target machine,
> let alone starting it.
> 
> When migrating a VM from one host to another an application may also 
> want to verify that the same policy is available on both the source
> and target hosts. A simple 'targeted' vs 'enforcing'  string is likely
> not sufficient in this context. This also feels like host level info,
> rather per-VM.
> 
> I think the 'policytype' bit of the label may thus better live in the
> host capabilities XML document, so you can query it independantly of
> any virtual machine
> 
> eg perhaps something like
> 
> # virsh capabilities 
> <capabilities>
> 
>   <host>
>     <cpu>
>       <arch>i686</arch>
>     </cpu>
>     <secpolicy model='selinux'>
>        <type>targetted</type>
>        <state>enforcing</state>
>     </secpolicy>
>   </host>
> 
>   .... snip rest of XML...
> 
> Is there any meaningful / useful policy version information that can
> be included here ? Or policy feature bits
> 
> The VM config would thus only need
> 
>    <domain>
>      ....
>      <seclabel model='selinux'>
>        <label>system_u:system_r:virtd_t:s0</label>
>      </seclabel>
>      ...
>    </domain>
> 
> 
> I should note that the domain XML format is representative of the config
> for a particular deployment of a virtual machine onto a host. 
> 
> It is not a generic interchange format for 'appliances'. If you were
> distributing an appliance, then the virt-image XML format would be used,
> and this encodes information on pre-requisites for host capabilities. 
> 
> When an appliance is deployed as a virtual domain, the virt-image tool,
> validate the virt-image XML pre-requisites, against the host capabilites
> XML to determine if the host is suitable.
> 
> Daniel
Again targeted means nothing.  It is just an arbitrary name given to a
policy package. So I don't see why it should be mentioned anywhere.

I think the existance of the kernel policy which understands what a
system_u:system_r:virtd_t:s0 is what is important.

Again, I could have a three host machines each one with a different
policy package say targeted, mls and overt policy package.  If all three
understand what a system_u:system_r:virtd_t:s0 type is, then all three
could run the image.

Having two machine with a "targeted" policy on them does nothing to
assure that a processs labeled system_u:system_r:virtd_t:s0
 can run.

As far as enforcing mode is concerned, I thought that you could require
that this virtual machine could only run on machines with SELinux in
enforcing mode. so wouldn't that be associated with the virtual machine?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2008-10-21 17:50 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-21  2:06 [RFC] sVirt v0.10 - initial prototype James Morris
2008-10-21 13:57 ` Daniel J Walsh
2008-10-21 16:22   ` Daniel P. Berrange
2008-10-21 17:50     ` Daniel J Walsh [this message]
2008-10-22  9:51       ` Daniel P. Berrange
2008-10-22  9:50     ` James Morris
2008-10-22 10:03       ` Daniel P. Berrange
2008-10-22 10:05         ` James Morris
2008-10-29 21:51     ` James Morris
2008-10-22  9:23   ` James Morris
2008-10-23 12:05     ` Paul Moore
2008-10-28 21:42       ` James Morris
2008-10-28 22:17         ` Paul Moore
2008-10-29 14:40           ` David P. Quigley
2008-10-21 17:17 ` Daniel P. Berrange
2008-10-22 10:01   ` James Morris
2008-10-30  9:40 ` [libvirt] " Atsushi SAKAI
2008-10-30 19:18   ` Daniel J Walsh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48FE165C.3040303@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=berrange@redhat.com \
    --cc=jmorris@namei.org \
    --cc=libvir-list@redhat.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    --cc=veillard@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.