On Fri, Feb 27, 2009 at 03:37:55PM -0500, Daniel J Walsh wrote:
> Hash: SHA1
> Another patch off latest repository.
> This patch does not require the XML to include a label, although this is
> still supported.
> Implemented most of the comments from Jim.  make check and make
> syntax-check passes, Added seclabeltest.c to run in tests, Updated
> capability.rng, although not really sure I did it right.
> This patch will generate random MCS Labels and relabels the image files
> to match.  Seems to work well on F11.
> I will back port some policy to allow it to work on F10.
> I think we need a mechanism in libvirtd.conf to turn this off.   And
> allow perhaps three modes.
> svirt=Disabled.  No Security Driver.
> svirt=MLS (Requires context in xml, no relabel of disks)
> svirt=Standard, (If no XML label, then random generate one and reset
> file context).
> How should I read config from libvirt.conf and and not enable he
> SecurityModel?
> http://people.fedoraproject.org/~dwalsh/SELinux/svirt.patch

I have finally applied this patch. I broke it up into  a series of
7 patches across the different functional areas, to make it easier
to bisect individual changes, so I applied it in the following pieces

 - Public API definitions
 - Internal driver API glue
 - Remote protocol API & glue
 - Core security driver infrastructure
 - Virsh additions for dominfo
 - SElinux security driver
 - QEMU integration with security driver

I made a couple of small changes along the way...

 - virSecurityDriverStartup() takes a driver name, so HV drivers
   can explicitly configure which sec driver they want, overriding
   the default probed order. 'none' disables it completely

 - /etc/libvirt/qemu.conf gains a security_driver='XXX' config param
   accepting 'none' or 'selinux' to choose drivers. If not set it will
   probe for a driver, thus defaulting to SELinux if availab.e

 - Fixed the RNG schema for capabilities & domain XML format additions

 - Added a configure.in check for selinux_virtual_domain_context_path()
   and selinux_virtual_image_context_path() and make it disable the
   SELinux driver if these aren't found. These functions are new on
   F11, so we don't want to break build on RHEL-5 & earlier Fedora.

I still think we need one further tweak to the XML. We have the ability
to turn on / off of the security driver in QEMU, but I think we need
better support for the automatic label generation. The current logic
is doing

 - If <seclabel> is element in the XML, use that
 - Else generate a seclabel when starting a VM

The trouble is when you then query the XML for a guest, you have no way
of telling whether the <seclabel> is showing a generated one, or a predefined
one. And if you dump and then reload the XML, your VM that used to be using
a generated label, now gets fixed to that current label forever. This has
caused us a great deal of pain in the past with generated VNC ports, and
generated TAP device names. So I think we need to add an XML attribute to
explicitly note that the label is generated

eg, add  type="static|dynamic" to <seclabel> ...

  <seclabel model='selinux' type="static">

|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

Libvir-list mailing list

Reply via email to