From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Daniel P. Berrange" <berrange@redhat.com>
Subject: Re: A few KVM security questions
Date: Mon, 7 Dec 2009 17:47:31 +0000
Message-ID: <20091207174731.GT24530@redhat.com>
References: <4B1CFD93.7090307@invisiblethingslab.com> <4B1D0057.8030707@redhat.com> <4B1D0383.1080306@invisiblethingslab.com> <4B1D0544.9000603@redhat.com> <4B1D30F6.7050609@codemonkey.ws> <4B1D36E3.9090206@invisiblethingslab.com>
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Anthony Liguori <anthony@codemonkey.ws>,
	Avi Kivity <avi@redhat.com>, kvm@vger.kernel.org
To: Joanna Rutkowska <joanna@invisiblethingslab.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:24861 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S935462AbZLGRrc (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 7 Dec 2009 12:47:32 -0500
Content-Disposition: inline
In-Reply-To: <4B1D36E3.9090206@invisiblethingslab.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On Mon, Dec 07, 2009 at 06:09:55PM +0100, Joanna Rutkowska wrote:
> 
> Also, SELinux seems to me like a step into the wrong direction. It not
> only adds complexity to the already-too-complex kernel, but requires
> complex configuration. See e.g. this paper[1] for a nice example of how
> to escape SE-sandboxed qemu on FC8 due to SELinux policy misconfiguration.

Things have changed alot since the time the that Xen SELinux policy was
written. The Xen policy was always a tradeoff between usability & security
sine the XenD managment tools were playing no part in the configuration,
leaving it upto the administrator. With KVM  & SELinx, the management tools
play an active part in configuration, removing this burden from the
adminsitrator. Each VM runs under a SELinux context with a dedicated MLS
category, and the resources the VM is assigned have their labelling set
to match. The guest policy only allows it access to resources with a
matching MLS level, so it not gain access to anything the administrator
has not explicitly granted in the VM's configuration. This is actually 
simpler for administrators, since they no longer need to manage labelling 
themselves, while offering greater protection between VMs which was also
not possible with the old Xen policy

Regards,
Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|