[RFC] sVirt 0.20

From: James Morris <jmorris_at_nospam>
Date: Thu Dec 11 2008 - 05:00:27 GMT
To: libvir-list@redhat.com

This is to announce the release of v0.20 of sVirt, a project to add security labeling support to Linux-based virtualization.

Project page:
http://www.selinuxproject.org/page/SVirt

A patch against libvirt is attached; and also included in a release tarball at http://namei.org/svirt/. See 'readme.txt' there for more details on building and running the code.

This release is an update in response to feedback received on the v0.10 prototype release, per the discussion thread at: https://www.redhat.com/archives/libvir-list/2008-October/msg00478.html

Changes are as follows:

v0.20 - 11/Dec/2008

Published TODO list: http://selinuxproject.org/page/SVirt/TODO
Rebased to current upstream: converted to new build system, locking etc.
Changed DOI format to an integer value, represented via a string, defaulting to "0". Ongoing general discussion on DOI formats and semantics may be found at: http://mail.opensolaris.org/mailman/listinfo/doi-discuss
Introduced the concept of a "security model", to more easily distinguish between security models and labels in the API.
The security model and DOI attributes are now properties of the hypervisor (instead of the domain label), and included in its host capabilities, e.g.:

<capabilities> <host> <cpu> <arch>x86_64</arch> </cpu> <secmodel> <model>selinux</model> <doi>0</doi> </secmodel> </host> ....
</capabilities>

Implicit here is the assumption that each hypervisor may only be associated with one security model.

Integrated security model support into "virsh capabilities".
The domain configuration label is now of the form:

<domain> .... <seclabel model='selinux'> <label>system_u:system_r:virtd_t:s0</label> </seclabel>
</domain>

The model attribute of the seclabel element above is validated against the host security model at runtime.
The output of "virsh dominfo" for a running labeled domain is now as follows:

  # dominfo sys1 Id: 1 Name: sys1 UUID: fa3c8e06-0877-2a08-06fd-f2479b7bacb0 OS Type: hvm
  Security model: selinux
  Security DOI: 0 State: running CPU(s): 1 CPU time: 24.9s Max memory: 524288 kB Used memory: 524288 kB Autostart: disable
  Security label: system_u:system_r:virtd_t:s0 (enforcing)

The security policy enforcing is a dynamic property of the domain security label, as it may be applied on a per-domain basis.
The main aspects to security labeling support in the library and associated data structures are as follows:

Domain configuration: virDomainSecLabelDef Host capabilities: virDomainSecModel Active domain state: virDomainSecLabel

I'm hoping to be able to propose an initial version for upstream merge within the next few minor releases, tasks for which are being scoped out in the new TODO list:

http://selinuxproject.org/page/SVirt/TODO

If the current release passes review, the next major task will be to add dynamic MCS labeling of domains and disk images for simple isolation.

Feedback is welcome.

James -- James Morris <jmorris@namei.org>

-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

This message: [ Message body ]
Next message: Daniel P. Berrange: "Re: [RFC] sVirt 0.20"
Previous message: Christopher J. PeBenito: "ANN: Reference Policy Release"
Next in thread: Daniel P. Berrange: "Re: [RFC] sVirt 0.20"
Reply: Daniel P. Berrange: "Re: [RFC] sVirt 0.20"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]