Re: [libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

2008-08-12 Thread Daniel P. Berrange
On Tue, Aug 12, 2008 at 10:16:35AM -0400, Daniel J Walsh wrote: > Daniel P. Berrange wrote: > > On Tue, Aug 12, 2008 at 09:54:23AM -0400, Daniel J Walsh wrote: > >> Daniel P. Berrange wrote: > >>> On Tue, Aug 12, 2008 at 09:20:41AM -0400, Daniel J Walsh wrote: > The experimenting I have done h

Re: [libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

2008-08-12 Thread Daniel J Walsh
Daniel P. Berrange wrote: > On Tue, Aug 12, 2008 at 09:54:23AM -0400, Daniel J Walsh wrote: >> Daniel P. Berrange wrote: >>> On Tue, Aug 12, 2008 at 09:20:41AM -0400, Daniel J Walsh wrote: The experimenting I have done has been around labeling of the virt_image and the process with mcs la

Re: [libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

2008-08-12 Thread Daniel P. Berrange
On Tue, Aug 12, 2008 at 09:54:23AM -0400, Daniel J Walsh wrote: > Daniel P. Berrange wrote: > > On Tue, Aug 12, 2008 at 09:20:41AM -0400, Daniel J Walsh wrote: > >> The experimenting I have done has been around labeling of the virt_image > >> and the process with mcs labels to prevent one process f

Re: [libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

2008-08-12 Thread Daniel J Walsh
Daniel P. Berrange wrote: > On Tue, Aug 12, 2008 at 09:20:41AM -0400, Daniel J Walsh wrote: >> James Morris wrote: >>> On Tue, 12 Aug 2008, Daniel P. Berrange wrote: >>> Do we instead add the info the udev rules, so when /dev is populated at boot time by udev the device no

Re: [libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

2008-08-12 Thread Daniel J Walsh
James Morris wrote: > On Tue, 12 Aug 2008, Daniel P. Berrange wrote: > >> Do we instead add the info the udev rules, so when /dev is >> populated at boot time by udev the device nodes get the desired >> initial labelling ? Or do we manually chcon() the device >> a

Re: [libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

2008-08-12 Thread Daniel P. Berrange
On Tue, Aug 12, 2008 at 09:20:41AM -0400, Daniel J Walsh wrote: > James Morris wrote: > > On Tue, 12 Aug 2008, Daniel P. Berrange wrote: > > > >> Do we instead add the info the udev rules, so when /dev is > >> populated at boot time by udev the device nodes get the desired > >>

Re: [libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

2008-08-12 Thread James Morris
On Tue, 12 Aug 2008, Daniel P. Berrange wrote: > Do we instead add the info the udev rules, so when /dev is > populated at boot time by udev the device nodes get the desired > initial labelling ? Or do we manually chcon() the device > at the time we boot the VM ?

Re: [libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

2008-08-12 Thread Daniel P. Berrange
On Mon, Aug 11, 2008 at 12:17:48PM +1000, James Morris wrote: > 4. Design Considerations > > 4.1 Consensus in preliminary discussion appears to be that adding > MAC to libvirt will be the most effective approach. Support > may then be extended to virsh, virt-manager, oVirt

[libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

2008-08-10 Thread James Morris
This is to announce the formation of the sVirt project, which aims to integrate SELinux and Linux-based virtualization (KVM et al). The idea has been discussed a few times over the last year or so, and in recent weeks, a few Fedora folk (such as Dan Walsh, Daniel Berrange and myself) have put t