From: "Daniel P. Berrange" <berrange@redhat.com>
To: Joanna Rutkowska <joanna@invisiblethingslab.com>
Cc: Anthony Liguori <anthony@codemonkey.ws>,
Avi Kivity <avi@redhat.com>,
kvm@vger.kernel.org
Subject: Re: A few KVM security questions
Date: Mon, 7 Dec 2009 17:47:31 +0000 [thread overview]
Message-ID: <20091207174731.GT24530@redhat.com> (raw)
In-Reply-To: <4B1D36E3.9090206@invisiblethingslab.com>
On Mon, Dec 07, 2009 at 06:09:55PM +0100, Joanna Rutkowska wrote:
>
> Also, SELinux seems to me like a step into the wrong direction. It not
> only adds complexity to the already-too-complex kernel, but requires
> complex configuration. See e.g. this paper[1] for a nice example of how
> to escape SE-sandboxed qemu on FC8 due to SELinux policy misconfiguration.
Things have changed alot since the time the that Xen SELinux policy was
written. The Xen policy was always a tradeoff between usability & security
sine the XenD managment tools were playing no part in the configuration,
leaving it upto the administrator. With KVM & SELinx, the management tools
play an active part in configuration, removing this burden from the
adminsitrator. Each VM runs under a SELinux context with a dedicated MLS
category, and the resources the VM is assigned have their labelling set
to match. The guest policy only allows it access to resources with a
matching MLS level, so it not gain access to anything the administrator
has not explicitly granted in the VM's configuration. This is actually
simpler for administrators, since they no longer need to manage labelling
themselves, while offering greater protection between VMs which was also
not possible with the old Xen policy
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
next prev parent reply other threads:[~2009-12-07 17:47 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-07 13:05 A few KVM security questions Joanna Rutkowska
2009-12-07 13:17 ` Avi Kivity
2009-12-07 13:30 ` Joanna Rutkowska
2009-12-07 13:38 ` Avi Kivity
2009-12-07 14:06 ` Joanna Rutkowska
2009-12-07 14:09 ` Avi Kivity
2009-12-07 16:44 ` Anthony Liguori
2009-12-07 17:09 ` Joanna Rutkowska
2009-12-07 17:13 ` Avi Kivity
2009-12-07 17:15 ` Joanna Rutkowska
2009-12-07 17:18 ` Avi Kivity
2009-12-07 17:33 ` Joanna Rutkowska
2009-12-07 18:34 ` Avi Kivity
2009-12-09 10:43 ` Pasi Kärkkäinen
2009-12-07 17:38 ` Anthony Liguori
2009-12-07 17:45 ` Joanna Rutkowska
[not found] ` <20091207181556.GM4679@tyrion.haifa.ibm.com>
2009-12-07 19:58 ` Anthony Liguori
2009-12-07 17:33 ` Anthony Liguori
2009-12-07 17:58 ` Joanna Rutkowska
2009-12-07 17:47 ` Daniel P. Berrange [this message]
2009-12-07 13:55 ` Joanna Rutkowska
2009-12-07 14:01 ` Avi Kivity
2009-12-07 16:47 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091207174731.GT24530@redhat.com \
--to=berrange@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=avi@redhat.com \
--cc=joanna@invisiblethingslab.com \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox