From: Daniel J Walsh <dwalsh@redhat.com>
To: Ramon de Carvalho Valle <rcvalle@linux.vnet.ibm.com>
Cc: rhel6-cc-external-list@redhat.com, SELinux <selinux@tycho.nsa.gov>
Subject: Re: [Rhel6-cc-external-list] Processes executing as qemu_t SELinux type are not allowed to access vhost_device_t
Date: Fri, 08 Apr 2011 14:40:32 -0400 [thread overview]
Message-ID: <4D9F56A0.7040804@redhat.com> (raw)
In-Reply-To: <4D9F4C2D.9090207@linux.vnet.ibm.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/08/2011 01:55 PM, Ramon de Carvalho Valle wrote:
> Hi Daniel,
>
> On 04/06/2011 04:57 PM, Ramon de Carvalho Valle wrote:
>>> I don't see how this would be ok. The sad part is I would argue dynamic
>>>> labeling is more secure the static labeling.
>> The result is that most of the tests for the evaluation does not apply
>> to the MLS policy (I will send them in a separate email).
>
>>>>
>>>> If you label to virt machines as TopSecret, a compromized TopSecret
>>>> Machine could attack all the virtual Machines that are running as
>>>> TopSecret. In Dynamic labeling all virtual machines are isolated.
>>>>
>>>> I guess you could carve up a subsection of the MLS/MCS namespace and
>>>> allow libvirt to set labels in those zones. But the idea of an app
>>>> randomly changing the label of a file/device on the fly, is not what MLS
>>>> tends to like.
>> This may be something that is not desirable. However, the default MLS
>> dominance could be changed to have one sensitivity excluded from the
>> dominance hierarchy (or a new sensitivity be added). Thus, for that
>> removed (or new) sensitivity, libvirt could execute with dynamic
>> labeling enabled.
> What you think of the implementation of a sensitivity s16 (or sv) out of
> the s0-s15 hierarchy? The argument would be that a virtual machine must
> be considered as a single isolated physical device, and is not part of
> the MLS logical hierarchy of objects in the host.
>
> Best regards,
>
We could do that, but it is not MLS, at that point. It would involve
some engineering of libvirt and some policy rewrite to allow MLS values
of > s15. I am not sure what the definition of SystemHigh would be
then. I think it would be best if this was brought up for discussion on
a public list like SELinux <selinux@tycho.nsa.gov>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEUEARECAAYFAk2fVqAACgkQrlYvE4MpobM4SgCgmjBMJ7AcQjuaOR9T36ZO2KZ/
u/sAliDiRRN0i34hSutOywuBpAa2cLg=
=IJ63
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
parent reply other threads:[~2011-04-08 18:40 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <4D9F4C2D.9090207@linux.vnet.ibm.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D9F56A0.7040804@redhat.com \
--to=dwalsh@redhat.com \
--cc=rcvalle@linux.vnet.ibm.com \
--cc=rhel6-cc-external-list@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.