• 1
Why can't standard Unix accounts provide the isolation of virtual machines from each other that you're going for? SELinux only adds restrictions to that, so it would seem sufficient to give each virtual machine its own account and make the disk images mode 600, owned by that uid. I guess SELinux could help out by preventing the virtual machine from calling chmod() on those files but I don't see what else it buys you here.

DAC protections would be helpful also

I am not sure that qemu can currently run without at least running with certain capabilities.

According to SELinux policy virtual domains required these capabilities.

allow virt_domain self:capability { kill dac_read_search dac_override };

I guess qemu could be reworked to not need these capabilities and you could run them as a non priv user. Then you could give libvirt a group of UID's to run each virtual instance under. I think a sVirt security plugin could be written to do this.

However this would not give you the fine grain control that SELinux can give you.
For example if you had a database on your system that was world readable then the virtual instances would be able to read it, and the DAC permissions would not stop it. Similarly world write, chmod as you said. Executing setuid applications, all would be allowed. Etc.

I guess you could bring this up on the virt mailing list for discussion on potential security module solution.

  • 1
?

Log in