Re: [Rhel6-cc-external-list] Processes executing as qemu_t SELinux type are not allowed to access vhost_device_t

Re: [Rhel6-cc-external-list] Processes executing as qemu_t SELinux type are not allowed to access vhost_device_t

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/08/2011 01:55 PM, Ramon de Carvalho Valle wrote:
> Hi Daniel,
> 
> On 04/06/2011 04:57 PM, Ramon de Carvalho Valle wrote:
>>> I don't see how this would be ok.  The sad part is I would argue dynamic
>>>> labeling is more secure the static labeling.
>> The result is that most of the tests for the evaluation does not apply
>> to the MLS policy (I will send them in a separate email).
> 
>>>>
>>>> If you label to virt machines as TopSecret, a compromized TopSecret
>>>> Machine could attack all the virtual Machines that are running as
>>>> TopSecret.  In Dynamic labeling all virtual machines are isolated.
>>>>
>>>> I guess you could carve up a subsection of the MLS/MCS namespace and
>>>> allow libvirt to set labels in those zones.  But the idea of an app
>>>> randomly changing the label of a file/device on the fly, is not what MLS
>>>> tends to like.
>> This may be something that is not desirable. However, the default MLS
>> dominance could be changed to have one sensitivity excluded from the
>> dominance hierarchy (or a new sensitivity be added). Thus, for that
>> removed (or new) sensitivity, libvirt could execute with dynamic
>> labeling enabled.
> What you think of the implementation of a sensitivity s16 (or sv) out of
> the s0-s15 hierarchy? The argument would be that a virtual machine must
> be considered as a single isolated physical device, and is not part of
> the MLS logical hierarchy of objects in the host.
> 
> Best regards,
> 


We could do that, but it is not MLS, at that point.  It would involve
some engineering of libvirt and some policy rewrite to allow MLS values
of > s15.  I am not sure what the definition of SystemHigh would be
then.  I think it would be best if this was brought up for discussion on
a public list like SELinux <selinux@tycho.nsa.gov>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEUEARECAAYFAk2fVqAACgkQrlYvE4MpobM4SgCgmjBMJ7AcQjuaOR9T36ZO2KZ/
u/sAliDiRRN0i34hSutOywuBpAa2cLg=
=IJ63
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.