On Tuesday 12 August 2008 5:57:19 am James Morris wrote:
> On Tue, 12 Aug 2008, Russell Coker wrote:
> > One thing that should be noted is the labelled network benefits.
> > If you had several groups of virtual servers running at different
> > levels and wanted to prevent information leaks then ha
On Tue, 12 Aug 2008, Russell Coker wrote:
> having different labels for processes and files so that if someone cracks the
> UML kernel then they end up with just a regular user access on the Linux
> host. Which of course they could then try to crack with any of the usual
> local-root exploits.
On Tue, Aug 12, 2008 at 03:57:46PM +1000, Russell Coker wrote:
> On Monday 11 August 2008 19:31, James Morris <[EMAIL PROTECTED]> wrote:
> I think that Casey's idea is that if someone breaks the VM separation then
> you
> lose it all. For separation based on UML there are obvious benefits to
>
On Monday 11 August 2008 19:31, James Morris <[EMAIL PROTECTED]> wrote:
> I suspect you misunderstood an important aspect of this in that we are
> targeting Linux-based virtualization, where the VMs are running inside
> Linux processes. In this case, the isolation depends on DAC in the host,
> and
James Morris wrote:
On Sun, 10 Aug 2008, Casey Schaufler wrote:
1.1 Rationale
With increased use of virtualization, one security benefit of
physically separated systems -- strong isolation -- is reduced,
This issue can always be readily resolved by going back to physically
On Sun, 10 Aug 2008, Casey Schaufler wrote:
> > 1.1 Rationale
> >
> > With increased use of virtualization, one security benefit of
> > physically separated systems -- strong isolation -- is reduced,
>
> This issue can always be readily resolved by going back to physically
> separated h
James Morris wrote:
This is to announce the formation of the sVirt project, which aims to
integrate SELinux and Linux-based virtualization (KVM et al).
The idea has been discussed a few times over the last year or so, and in
recent weeks, a few Fedora folk (such as Dan Walsh, Daniel Berrange a