NB VM - Revision history http://www.selinuxproject.org/w/?title=NB_VM&action=history Revision history for this page on the wiki en MediaWiki 1.23.13 Tue, 19 Mar 2024 02:35:41 GMT RichardHaines: /* Xen Support */ http://www.selinuxproject.org/w/?title=NB_VM&diff=1799&oldid=prev http://www.selinuxproject.org/w/?title=NB_VM&diff=1799&oldid=prev <p>‎<span dir="auto"><span class="autocomment">Xen Support</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:04, 25 September 2015</td> </tr><tr><td colspan="2" class="diff-lineno">Line 286:</td> <td colspan="2" class="diff-lineno">Line 286:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>However (just to confuse the issue), there is another Xen policy module (also called &lt;tt&gt;xen.te&lt;/tt&gt;) in the Reference Policy to support the management of images etc. via the Xen console.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>However (just to confuse the issue), there is another Xen policy module (also called &lt;tt&gt;xen.te&lt;/tt&gt;) in the Reference Policy to support the management of images etc. via the Xen console.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>For reference, the Xen policy supports additional policy language statements: &lt;tt&gt;iomemcon&lt;/tt&gt;, &lt;tt&gt;ioportcon&lt;/tt&gt;, &lt;tt&gt;pcidevicecon&lt;/tt&gt; and &lt;tt&gt;pirqcon&lt;/tt&gt; that are discussed in the [[<del class="diffchange diffchange-inline">KernelPolicyLanguage#Xen Statements </del>| SELinux Policy Xen Statements]].</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>For reference, the Xen policy supports additional policy language statements: &lt;tt&gt;iomemcon&lt;/tt&gt;, &lt;tt&gt;ioportcon&lt;/tt&gt;, &lt;tt&gt;pcidevicecon&lt;/tt&gt; and &lt;tt&gt;pirqcon&lt;/tt&gt; that are discussed in the [[<ins class="diffchange diffchange-inline">XENStatements </ins>| SELinux Policy Xen Statements]].</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> </table> Fri, 25 Sep 2015 14:04:09 GMT RichardHaines http://www.selinuxproject.org/page/Talk:NB_VM RichardHaines at 14:02, 25 September 2015 http://www.selinuxproject.org/w/?title=NB_VM&diff=1798&oldid=prev http://www.selinuxproject.org/w/?title=NB_VM&diff=1798&oldid=prev <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:02, 25 September 2015</td> </tr><tr><td colspan="2" class="diff-lineno">Line 16:</td> <td colspan="2" class="diff-lineno">Line 16:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>KVM is a kernel loadable module that uses the Linux kernel as a hypervisor and makes use of a modified QEMU emulator to support the hardware I/O emulation. The &quot;[http://www.redhat.com/f/pdf/rhev/DOC-KVM.pdf Kernel-based Virtual Machine]&quot; document gives a good overview of how KVM and QEMU are implemented. It also provides an introduction to virtualisation in general. Note that KVM requires virtulisation support in the CPU (Intel-VT or AMD-V extensions).</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>KVM is a kernel loadable module that uses the Linux kernel as a hypervisor and makes use of a modified QEMU emulator to support the hardware I/O emulation. The &quot;[http://www.redhat.com/f/pdf/rhev/DOC-KVM.pdf Kernel-based Virtual Machine]&quot; document gives a good overview of how KVM and QEMU are implemented. It also provides an introduction to virtualisation in general. Note that KVM requires virtulisation support in the CPU (Intel-VT or AMD-V extensions).</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The SELinux support for VMs is implemented by the &lt;tt&gt;libvirt&lt;/tt&gt; sub-system that is used to manage the VM images using a Virtual Machine Manager, and as KVM is based on Linux it has SELinux support by default. There are also Reference Policy modules to support the overall infrastructure (KVM support is in various kernel and system modules with a &lt;tt&gt;virt&lt;/tt&gt; module supporting the &lt;tt&gt;libvirt&lt;/tt&gt; services).The [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/18-kvm.png KVM Environment] diagram shows a high level overview with two VMs running in their own domains. The [[#libsvirt Support | libvirt Support]] section shows how to configure these and their VM image files.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The SELinux support for VMs is implemented by the &lt;tt&gt;libvirt&lt;/tt&gt; sub-system that is used to manage the VM images using a Virtual Machine Manager, and as KVM is based on Linux it has SELinux support by default. There are also Reference Policy modules to support the overall infrastructure (KVM support is in various kernel and system modules with a &lt;tt&gt;virt&lt;/tt&gt; module supporting the &lt;tt&gt;libvirt&lt;/tt&gt; services).The [http://selinuxproject.org/~rhaines/NB4-diagrams/18-kvm.png KVM Environment] diagram shows a high level overview with two VMs running in their own domains. The [[#libsvirt Support | libvirt Support]] section shows how to configure these and their VM image files.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== libvirt Support ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== libvirt Support ==</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 86:</td> <td colspan="2" class="diff-lineno">Line 86:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>If the disk image has been set to shared, then a dynamically allocated &lt;tt&gt;level&lt;/tt&gt; will be generated for each VM process instance, however there will be a single instance of the disk image.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>If the disk image has been set to shared, then a dynamically allocated &lt;tt&gt;level&lt;/tt&gt; will be generated for each VM process instance, however there will be a single instance of the disk image.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Virtual Machine Manager can be used to set the image as shareable by checking the &lt;tt&gt;Shareable&lt;/tt&gt; box as shown in the [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/19-shareable.png Setting the Virtual Disk as Shareable] screen shot.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Virtual Machine Manager can be used to set the image as shareable by checking the &lt;tt&gt;Shareable&lt;/tt&gt; box as shown in the [http://selinuxproject.org/~rhaines/NB4-diagrams/19-shareable.png Setting the Virtual Disk as Shareable] screen shot.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This will set the image (&lt;tt&gt;Shareable_VM.xml&lt;/tt&gt;) resource XML configuration file located in the &lt;tt&gt;/etc/libvirt/qemu&lt;/tt&gt; directory &lt;tt&gt;&lt;nowiki&gt;&lt;disk&gt;&lt;/nowiki&gt;&lt;/tt&gt; contents as follows:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This will set the image (&lt;tt&gt;Shareable_VM.xml&lt;/tt&gt;) resource XML configuration file located in the &lt;tt&gt;/etc/libvirt/qemu&lt;/tt&gt; directory &lt;tt&gt;&lt;nowiki&gt;&lt;disk&gt;&lt;/nowiki&gt;&lt;/tt&gt; contents as follows:</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 101:</td> <td colspan="2" class="diff-lineno">Line 101:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>As the two VMs will share the same image, the &lt;tt&gt;Shareable_VM&lt;/tt&gt; service needs to be cloned and the VM resource name selected was &lt;tt&gt;Shareable_VM-clone&lt;/tt&gt; as shown in this [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/20-clone.png screen shot].</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>As the two VMs will share the same image, the &lt;tt&gt;Shareable_VM&lt;/tt&gt; service needs to be cloned and the VM resource name selected was &lt;tt&gt;Shareable_VM-clone&lt;/tt&gt; as shown in this [http://selinuxproject.org/~rhaines/NB4-diagrams/20-clone.png screen shot].</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The resource XML file &lt;tt&gt;&lt;nowiki&gt;&lt;disk&gt;&lt;/nowiki&gt;&lt;/tt&gt; contents generated are shown - note that it has the same &lt;tt&gt;source file&lt;/tt&gt; name as the &lt;tt&gt;Shareable_VM.xml&lt;/tt&gt; file shown above.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The resource XML file &lt;tt&gt;&lt;nowiki&gt;&lt;disk&gt;&lt;/nowiki&gt;&lt;/tt&gt; contents generated are shown - note that it has the same &lt;tt&gt;source file&lt;/tt&gt; name as the &lt;tt&gt;Shareable_VM.xml&lt;/tt&gt; file shown above.</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 205:</td> <td colspan="2" class="diff-lineno">Line 205:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: For this example &lt;tt&gt;svirt_t&lt;/tt&gt; has been chosen as it is a valid context (however it will not run as explained in the text). This context will be written to the &lt;tt&gt;Static_VM1.xml&lt;/tt&gt; configuration file in &lt;tt&gt;/etc/libvirt/qemu&lt;/tt&gt;.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: For this example &lt;tt&gt;svirt_t&lt;/tt&gt; has been chosen as it is a valid context (however it will not run as explained in the text). This context will be written to the &lt;tt&gt;Static_VM1.xml&lt;/tt&gt; configuration file in &lt;tt&gt;/etc/libvirt/qemu&lt;/tt&gt;.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* If the VM is now started an error will be shown as show in the this [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/21-error.png screen shot].</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* If the VM is now started an error will be shown as show in the this [http://selinuxproject.org/~rhaines/NB4-diagrams/21-error.png screen shot].</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: This is because the image file label is incorrect as by default it is labeled &lt;tt&gt;virt_image_t&lt;/tt&gt; when the VM image is built (and &lt;tt&gt;svirt_t&lt;/tt&gt; does not have read/write permission for this label):</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: This is because the image file label is incorrect as by default it is labeled &lt;tt&gt;virt_image_t&lt;/tt&gt; when the VM image is built (and &lt;tt&gt;svirt_t&lt;/tt&gt; does not have read/write permission for this label):</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 280:</td> <td colspan="2" class="diff-lineno">Line 280:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Xen Support ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Xen Support ==</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>This is not supported by SELinux in the usual way as it is built into the actual Xen software as a 'Flask/TE' extension&lt;ref name=&quot;ftn27&quot;&gt;This is a version of the SELinux security server, avc etc. that has been specifically ported for the Xen implementation.&lt;/ref&gt; for the XSM (Xen Security Module). Also the Xen implementation has its own built-in policy (&lt;tt&gt;xen.te&lt;/tt&gt;) and supporting definitions for access vectors, security classes and initial SIDs for the policy. These Flask/TE components run in Domain 0 as part of the domain management and control supporting the Virtual Machine Monitor (VMM) as shown in the [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/22-xen.png Xen Hypervisor] diagram. &#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>This is not supported by SELinux in the usual way as it is built into the actual Xen software as a 'Flask/TE' extension&lt;ref name=&quot;ftn27&quot;&gt;This is a version of the SELinux security server, avc etc. that has been specifically ported for the Xen implementation.&lt;/ref&gt; for the XSM (Xen Security Module). Also the Xen implementation has its own built-in policy (&lt;tt&gt;xen.te&lt;/tt&gt;) and supporting definitions for access vectors, security classes and initial SIDs for the policy. These Flask/TE components run in Domain 0 as part of the domain management and control supporting the Virtual Machine Monitor (VMM) as shown in the [http://selinuxproject.org/~rhaines/NB4-diagrams/22-xen.png Xen Hypervisor] diagram. &#160;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The &quot;[http://www.xen.org/files/Marketing/HowDoesXenWork.pdf How Does Xen Work] document describes the basic operation of Xen, the &quot;[http://www.xen.org/files/xensummit_4/xsm-summit-041707_Coker.pdf Xen Security Modules]&quot; describes the XSM/Flask implementation, and the &lt;tt&gt;xsm-flask.txt&lt;/tt&gt; file in the Xen source package describes how SELinux and its supporting policy is implemented.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The &quot;[http://www.xen.org/files/Marketing/HowDoesXenWork.pdf How Does Xen Work] document describes the basic operation of Xen, the &quot;[http://www.xen.org/files/xensummit_4/xsm-summit-041707_Coker.pdf Xen Security Modules]&quot; describes the XSM/Flask implementation, and the &lt;tt&gt;xsm-flask.txt&lt;/tt&gt; file in the Xen source package describes how SELinux and its supporting policy is implemented.</div></td></tr> </table> Fri, 25 Sep 2015 14:02:59 GMT RichardHaines http://www.selinuxproject.org/page/Talk:NB_VM RichardHaines: /* Xen Support */ http://www.selinuxproject.org/w/?title=NB_VM&diff=1719&oldid=prev http://www.selinuxproject.org/w/?title=NB_VM&diff=1719&oldid=prev <p>‎<span dir="auto"><span class="autocomment">Xen Support</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 10:19, 8 December 2014</td> </tr><tr><td colspan="2" class="diff-lineno">Line 293:</td> <td colspan="2" class="diff-lineno">Line 293:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| [[NB_Networking | '''Previous''']]</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| [[NB_Networking | '''Previous''']]</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;[[NewUsers | '''Home''']]&lt;/center&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;[[NewUsers | '''Home''']]&lt;/center&gt;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;[[<del class="diffchange diffchange-inline">NB_XWIN </del>| '''Next''']]&lt;/center&gt;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;[[<ins class="diffchange diffchange-inline">NB_SandBox </ins>| '''Next''']]&lt;/center&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> </table> Mon, 08 Dec 2014 10:19:00 GMT RichardHaines http://www.selinuxproject.org/page/Talk:NB_VM RichardHaines at 16:59, 7 December 2014 http://www.selinuxproject.org/w/?title=NB_VM&diff=1717&oldid=prev http://www.selinuxproject.org/w/?title=NB_VM&diff=1717&oldid=prev <p></p> <a href="http://www.selinuxproject.org/w/?title=NB_VM&amp;diff=1717&amp;oldid=1041">Show changes</a> Sun, 07 Dec 2014 16:59:46 GMT RichardHaines http://www.selinuxproject.org/page/Talk:NB_VM Jaxelson at 21:05, 13 September 2010 http://www.selinuxproject.org/w/?title=NB_VM&diff=1041&oldid=prev http://www.selinuxproject.org/w/?title=NB_VM&diff=1041&oldid=prev <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 21:05, 13 September 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 374:</td> <td colspan="2" class="diff-lineno">Line 374:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;references/&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;references/&gt;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[[Category:Notebook]]</ins></div></td></tr> </table> Mon, 13 Sep 2010 21:05:34 GMT Jaxelson http://www.selinuxproject.org/page/Talk:NB_VM RichardHaines: /* Readonly Image Mode */ http://www.selinuxproject.org/w/?title=NB_VM&diff=965&oldid=prev http://www.selinuxproject.org/w/?title=NB_VM&diff=965&oldid=prev <p>‎<span dir="auto"><span class="autocomment">Readonly Image Mode</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:35, 18 May 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 149:</td> <td colspan="2" class="diff-lineno">Line 149:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The &lt;tt&gt;readonly&lt;/tt&gt; configuration sequence is similar to the &lt;tt&gt;shared&lt;/tt&gt; option shown above with a dynamically allocated level generated for each VM process instance and the disk image can be shared. The major differences are that the disk image will be read only by setting the image context to &lt;tt&gt;virt_content_t&lt;/tt&gt; (that enforces read only - see the &lt;tt&gt;virt.if&lt;/tt&gt; module interface file - &lt;tt&gt;read_blk_files_pattern&lt;/tt&gt;) instead of &lt;tt&gt;svirt_image_t&lt;/tt&gt; (that allows read/write - &lt;tt&gt;rw_blk_files_pattern&lt;/tt&gt;). &#160;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The &lt;tt&gt;readonly&lt;/tt&gt; configuration sequence is similar to the &lt;tt&gt;shared&lt;/tt&gt; option shown above with a dynamically allocated level generated for each VM process instance and the disk image can be shared. The major differences are that the disk image will be read only by setting the image context to &lt;tt&gt;virt_content_t&lt;/tt&gt; (that enforces read only - see the &lt;tt&gt;virt.if&lt;/tt&gt; module interface file - &lt;tt&gt;read_blk_files_pattern&lt;/tt&gt;) instead of &lt;tt&gt;svirt_image_t&lt;/tt&gt; (that allows read/write - &lt;tt&gt;rw_blk_files_pattern&lt;/tt&gt;). &#160;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Virtual Machine Manager can be used to set the image as read only by checking the &lt;tt&gt;Readonly&lt;/tt&gt; box as shown in&#160; the [http://taiga.selinuxproject.org/~rhaines/diagrams/21-<del class="diffchange diffchange-inline">Sharable</del>.png Setting the image as Shareable or Readonly] screen. This will set the image (&lt;tt&gt;Test_VM1.xml&lt;/tt&gt;) resource XML configuration file located in the &lt;tt&gt;/etc/libvirt/qemu&lt;/tt&gt; directory &lt;tt&gt;&lt;disk&gt;&lt;/tt&gt; contents as follows:</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Virtual Machine Manager can be used to set the image as read only by checking the &lt;tt&gt;Readonly&lt;/tt&gt; box as shown in&#160; the [http://taiga.selinuxproject.org/~rhaines/diagrams/21-<ins class="diffchange diffchange-inline">Shareable</ins>.png Setting the image as Shareable or Readonly] screen. This will set the image (&lt;tt&gt;Test_VM1.xml&lt;/tt&gt;) resource XML configuration file located in the &lt;tt&gt;/etc/libvirt/qemu&lt;/tt&gt; directory &lt;tt&gt;&lt;disk&gt;&lt;/tt&gt; contents as follows:</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># /etc/libvirt/qemu/Test_VM1.xml:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># /etc/libvirt/qemu/Test_VM1.xml:</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 222:</td> <td colspan="2" class="diff-lineno">Line 222:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>system_u:object_r:virt_content_t:s0 Test_VM1.img</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>system_u:object_r:virt_content_t:s0 Test_VM1.img</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Static Labeling ===</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Static Labeling ===</div></td></tr> </table> Tue, 18 May 2010 14:35:25 GMT RichardHaines http://www.selinuxproject.org/page/Talk:NB_VM RichardHaines: /* Shared Image Mode */ http://www.selinuxproject.org/w/?title=NB_VM&diff=964&oldid=prev http://www.selinuxproject.org/w/?title=NB_VM&diff=964&oldid=prev <p>‎<span dir="auto"><span class="autocomment">Shared Image Mode</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:32, 18 May 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 73:</td> <td colspan="2" class="diff-lineno">Line 73:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>If the disk image has been set to shared, then a dynamically allocated &lt;tt&gt;level&lt;/tt&gt; will be generated for each VM process instance, however there will be a single instance of the disk image. &#160;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>If the disk image has been set to shared, then a dynamically allocated &lt;tt&gt;level&lt;/tt&gt; will be generated for each VM process instance, however there will be a single instance of the disk image. &#160;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Virtual Machine Manager can be used to set the image as shareable by checking the &lt;tt&gt;Shareable&lt;/tt&gt; box as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/21-<del class="diffchange diffchange-inline">Sharable</del>.png Setting the image as Shareable or Readonly] screen.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Virtual Machine Manager can be used to set the image as shareable by checking the &lt;tt&gt;Shareable&lt;/tt&gt; box as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/21-<ins class="diffchange diffchange-inline">Shareable</ins>.png Setting the image as Shareable or Readonly] screen.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This will set the image (&lt;tt&gt;Test_VM1.xml&lt;/tt&gt;) resource XML configuration file located in the &lt;tt&gt;/etc/libvirt/qemu&lt;/tt&gt; directory &lt;tt&gt;&lt;disk&gt;&lt;/tt&gt; contents as follows:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This will set the image (&lt;tt&gt;Test_VM1.xml&lt;/tt&gt;) resource XML configuration file located in the &lt;tt&gt;/etc/libvirt/qemu&lt;/tt&gt; directory &lt;tt&gt;&lt;disk&gt;&lt;/tt&gt; contents as follows:</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 145:</td> <td colspan="2" class="diff-lineno">Line 145:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>system_u:object_r:svirt_image_t:s0 Test_VM1.img</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>system_u:object_r:svirt_image_t:s0 Test_VM1.img</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Readonly Image Mode ===</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Readonly Image Mode ===</div></td></tr> </table> Tue, 18 May 2010 14:32:51 GMT RichardHaines http://www.selinuxproject.org/page/Talk:NB_VM RichardHaines: New page: = SELinux Virtual Machine Support = SELinux support is available in the KVM/QEMU and Xen virtual machine (VM) technologies<ref name="ftn29">KVM (Kernel-based Virtual Machine) and Xen are c... http://www.selinuxproject.org/w/?title=NB_VM&diff=963&oldid=prev http://www.selinuxproject.org/w/?title=NB_VM&diff=963&oldid=prev <p>New page: = SELinux Virtual Machine Support = SELinux support is available in the KVM/QEMU and Xen virtual machine (VM) technologies&lt;ref name=&quot;ftn29&quot;&gt;KVM (Kernel-based Virtual Machine) and Xen are c...</p> <p><b>New page</b></p><div>= SELinux Virtual Machine Support =<br /> SELinux support is available in the KVM/QEMU and Xen virtual machine (VM) technologies&lt;ref name=&quot;ftn29&quot;&gt;KVM (Kernel-based Virtual Machine) and Xen are classed as 'bare metal' hypervisors and they rely on other services to manage the overall VM environment. QEMU (Quick Emulator) is an emulator that emulates the BIOS and I/O device functionality and can be used standalone or with KVM and Xen.&lt;/ref&gt; that are discussed in the sections that follow, however the package documentation should be read for how these products actually work and how they are configured. <br /> <br /> Currently the main SELinux support for virtualisation is via &lt;tt&gt;libvirt&lt;/tt&gt; that is an open-source virtualisation API that can be used to dynamically load guest VMs on behalf of the virtualisation product. Security extensions were added as a part of the [http://selinuxproject.org/page/SVirt Svirt] project and the SELinux implementation for the KVM/QEMU package (&lt;tt&gt;qemu-kvm&lt;/tt&gt; and &lt;tt&gt;libvirt&lt;/tt&gt; rpms) is discussed using some examples. The Xen product has Flask/TE services that can be builtas an optional service, although it can also use the security enhanced &lt;tt&gt;libvirt&lt;/tt&gt; services as well.<br /> <br /> The sections that follow give an introduction to KVM/QEMU and then the &lt;tt&gt;libvirt&lt;/tt&gt; support with some examples that make use of the Virtual Machine Manager (&lt;tt&gt;virt-manager&lt;/tt&gt; rpm) to configure VMs, an overview of the Xen implementation then follows.<br /> <br /> == KVM / QEMU Support ==<br /> KVM is a kernel loadable module that uses the Linux kernel as a hypervisorand makes use of a modified QEMU emulator to support the hardware I/O emulation. The &quot;[http://www.redhat.com/f/pdf/rhev/DOC-KVM.pdf Kernel-based Virtual Machine]&quot; document gives a good overview of how KVM and QEMU are implemented. It also provides an introduction the virtualisation in general. <br /> <br /> The SELinux support for VMs is implemented by the &lt;tt&gt;libvirt&lt;/tt&gt; sub-system that is used to manage the VM images using a Virtual Machine Manager, and as KVM is based on Linux it has SELinux support by default. There are also Reference Policy modules to support the overall infrastructure (KVM support is in various kernel and system modules with a &lt;tt&gt;virt&lt;/tt&gt; module supporting the &lt;tt&gt;libvirt&lt;/tt&gt; services). The [http://taiga.selinuxproject.org/~rhaines/diagrams/20-KVM.png KVM Environment] diagram shows a high level overview with two VMs running in their own domains. The libsvirt Support section below shows how to configure these and their VM image files.<br /> <br /> <br /> == libvirt Support ==<br /> The Svirt project added security hooks into the &lt;tt&gt;libvirt&lt;/tt&gt; library that is used by the &lt;tt&gt;libvirtd&lt;/tt&gt; daemon. This daemon is used by a number of VM products (such as KVM/QEMU and Xen) to start their VMs running as guest operating systems. <br /> <br /> The security hooks can be utilised by any security mechanism by the VM supplier providing a product specific libvirt [http://libvirt.org/drvqemu.html driver] that loads and manages the images. The SELinux implementation (when SELinux is enabled on the host system) supports four methods of labeling VM images, processes and their resources with support from the Reference Policy &lt;tt&gt;modules/services/virt.*&lt;/tt&gt; loadable module&lt;ref name=&quot;ftn30&quot;&gt;The various images would have been labeled by the &lt;tt&gt;virt&lt;/tt&gt; module installation process (see the &lt;tt&gt;virt.fc&lt;/tt&gt; module file or the policy &lt;tt&gt;file_contexts&lt;/tt&gt; file &lt;tt&gt;libvirt&lt;/tt&gt; entries). If not, then need to ensure it is relabeled by the most appropriate SELinux tool.&lt;/ref&gt;. To support this labeling, &lt;tt&gt;libvirt&lt;/tt&gt; requires an MCS or MLS enabled policy as the &lt;tt&gt;level&lt;/tt&gt; entry of the security context is used (&lt;tt&gt;user:role:type:level&lt;/tt&gt;) .<br /> <br /> === Default Mode ===<br /> The default mode is where each VM is run under its own dynamically configured domain and image file therefore isolating the VMs from each other (i.e. every time the system is rebooted a different and unique MCS label will be generated to confine each VM to its own domain). This mode is implemented as follows:<br /> <br /> * An initial context for the process is obtained from the &lt;tt&gt;/etc/selinux/&lt;policy_name&gt;/contexts/virtual_domain_context&lt;/tt&gt; file (the default is &lt;tt&gt;system_u:system_r:svirt_t:s0&lt;/tt&gt;).<br /> * An initial context for the image file label is obtained from the &lt;tt&gt;/etc/selinux/&lt;policy_name&gt;/contexts/virtual_image_context&lt;/tt&gt; file. The default is &lt;tt&gt;system_u:system_r:svirt_image_t:s0&lt;/tt&gt; that allows read/write of image files.<br /> * When the image is used to start the VM a random MCS &lt;tt&gt;level&lt;/tt&gt; is generated and added to the process context and the image object context. The process and image objects are then transitioned to the context by the&lt;tt&gt; libselinux&lt;/tt&gt; API calls &lt;tt&gt;setfilecon&lt;/tt&gt; and &lt;tt&gt;setexeccon&lt;/tt&gt; respectively (see &lt;tt&gt;security_selinux.c&lt;/tt&gt; in the &lt;tt&gt;libvirt &lt;/tt&gt;source). The following example shows two VM sessions having different label as they were launched during the same boot session:<br /> <br /> {| border=&quot;1&quot;<br /> | '''VM'''<br /> | '''Object'''<br /> | '''Dynamically assigned security context '''<br /> <br /> |-<br /> | VM1<br /> | Process<br /> | &lt;tt&gt;system_u:system_r:svirt_t:s0:c585,c813&lt;/tt&gt;<br /> <br /> |-<br /> | VM1<br /> | File<br /> | &lt;tt&gt;system_u:system_r:svirt_image_t:s0:c585,c813&lt;/tt&gt;<br /> <br /> |-<br /> | VM2<br /> | Process<br /> | &lt;tt&gt;system_u:system_r:svirt_t:s0:c535,c601&lt;/tt&gt;<br /> <br /> |-<br /> | VM2<br /> | File<br /> | &lt;tt&gt;system_u:system_r:svirt_image_t:s0:c535,c601&lt;/tt&gt;<br /> <br /> |}<br /> <br /> <br /> The running image &lt;tt&gt;ls -Z&lt;/tt&gt; and &lt;tt&gt;ps -eZ&lt;/tt&gt; are as follows and for completeness an &lt;tt&gt;ls -Z&lt;/tt&gt; is shown when both VMs have been stopped:<br /> &lt;pre&gt;<br /> # Both VMs running:<br /> ls -Z /var/lib/libvirt/images<br /> system_u:object_r:svirt_image_t:s0:c585,c813 Test_VM1.img<br /> system_u:object_r:svirt_image_t:s0:c535,c601 Test_VM2.img<br /> <br /> ps -eZ | grep qemu<br /> system_u:system_r:svirt_t:s0:c585,c813 8707 ? 00:00:44 qemu<br /> system_u:system_r:svirt_t:s0:c1022,c535 8796 ? 00:00:37 qemu<br /> <br /> # Both VMs stopped (note that the categories are now missing AND the type has changed from svirt_image_t to virt_image_t):<br /> ls -Z /var/lib/libvirt/images<br /> system_u:object_r:virt_image_t:s0 Test_VM1.img<br /> system_u:object_r:virt_image_t:s0 Test_VM2.img<br /> &lt;/pre&gt;<br /> <br /> <br /> === Shared Image Mode ===<br /> If the disk image has been set to shared, then a dynamically allocated &lt;tt&gt;level&lt;/tt&gt; will be generated for each VM process instance, however there will be a single instance of the disk image. <br /> <br /> The Virtual Machine Manager can be used to set the image as shareable by checking the &lt;tt&gt;Shareable&lt;/tt&gt; box as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/21-Sharable.png Setting the image as Shareable or Readonly] screen.<br /> <br /> This will set the image (&lt;tt&gt;Test_VM1.xml&lt;/tt&gt;) resource XML configuration file located in the &lt;tt&gt;/etc/libvirt/qemu&lt;/tt&gt; directory &lt;tt&gt;&lt;disk&gt;&lt;/tt&gt; contents as follows:<br /> &lt;pre&gt;<br /> # /etc/libvirt/qemu/Test_VM1.xml:<br /> &lt;disk type='file' device='disk'&gt;<br /> &lt;driver name='qemu' type='raw'/&gt;<br /> &lt;source file='/var/lib/libvirt/images/Test_VM1.img'/&gt;<br /> &lt;target dev='hda' bus='ide'/&gt;<br /> &lt;shareable/&gt;<br /> &lt;/disk&gt;<br /> &lt;/pre&gt;<br /> <br /> As the two VMs will share the same image, the &lt;tt&gt;Test_VM1&lt;/tt&gt; image needs to be cloned and its XML file &lt;tt&gt;&lt;disk&gt;&lt;/tt&gt; contents are as follows (note that it has the same shared image source file name):<br /> &lt;pre&gt;<br /> # /etc/libvirt/qemu/Test_VM1-clone.xml:<br /> &lt;disk type='file' device='disk'&gt;<br /> &lt;driver name='qemu' type='raw'/&gt;<br /> &lt;source file='/var/lib/libvirt/images/Test_VM1.img'/&gt;<br /> &lt;target dev='hda' bus='ide'/&gt;<br /> &lt;shareable/&gt;<br /> &lt;/disk&gt;<br /> &lt;/pre&gt;<br /> <br /> Now that the image has been configured as shareable, the following initialisation process will take place:<br /> <br /> * An initial context for the process is obtained from the &lt;tt&gt;/etc/selinux/&lt;policy_name&gt;/contexts/virtual_domain_context&lt;/tt&gt; file (the default is &lt;tt&gt;system_u:system_r:svirt_t:s0&lt;/tt&gt;).<br /> * An initial context for the image file label is obtained from the &lt;tt&gt;/etc/selinux/&lt;policy_name&gt;/contexts/virtual_image_context&lt;/tt&gt; file. The default is &lt;tt&gt;system_u:system_r:svirt_image_t:s0&lt;/tt&gt; that allows read/write of image files.<br /> * When the image is used to start the VM a random MCS level is generated and added to the process context (but not the image object). The process and image objects are then transitioned to the appropriate context by the&lt;tt&gt; libselinux&lt;/tt&gt; API calls &lt;tt&gt;setfilecon&lt;/tt&gt; and &lt;tt&gt;setexeccon&lt;/tt&gt; respectively. The following example shows each VM having the same file label but different process labels:<br /> <br /> {| border=&quot;1&quot;<br /> | '''VM'''<br /> | '''Object'''<br /> | '''Default security context '''<br /> <br /> |-<br /> | VM1<br /> | Process<br /> | &lt;tt&gt;system_u:system_r:svirt_t:s0:c231,c245&lt;/tt&gt;<br /> <br /> |-<br /> | VM1<br /> | File<br /> | &lt;tt&gt;system_u:system_r:svirt_image_t:s0&lt;/tt&gt;<br /> <br /> |-<br /> | VM2<br /> | Process<br /> | &lt;tt&gt;system_u:system_r:svirt_t:s0:c695,c894&lt;/tt&gt;<br /> <br /> |-<br /> | VM1<br /> | File<br /> | &lt;tt&gt;system_u:system_r:svirt_image_t:s0&lt;/tt&gt;<br /> <br /> |}<br /> <br /> <br /> The running image &lt;tt&gt;ls -Z&lt;/tt&gt; and &lt;tt&gt;ps -eZ&lt;/tt&gt; are as follows and for completeness an &lt;tt&gt;ls -Z&lt;/tt&gt; is shown when both VMs have been stopped:<br /> &lt;pre&gt;<br /> # Both VMs running and sharing same image as Test_VM1 was cloned:<br /> ls -Z /var/lib/libvirt/images<br /> system_u:object_r:svirt_image_t:s0 Test_VM1.img<br /> <br /> ps -eZ | grep qemu<br /> system_u:system_r:svirt_t:s0:c231,c254 6748 ? 00:01:17 qemu<br /> system_u:system_r:svirt_t:s0:c695,c894 7664 ? 00:00:03 qemu<br /> <br /> # Both VMs stopped (note that the type has remained as svirt_image_t)<br /> ls -Z /var/lib/libvirt/images<br /> system_u:object_r:svirt_image_t:s0 Test_VM1.img<br /> &lt;/pre&gt;<br /> <br /> <br /> === Readonly Image Mode ===<br /> The &lt;tt&gt;readonly&lt;/tt&gt; configuration sequence is similar to the &lt;tt&gt;shared&lt;/tt&gt; option shown above with a dynamically allocated level generated for each VM process instance and the disk image can be shared. The major differences are that the disk image will be read only by setting the image context to &lt;tt&gt;virt_content_t&lt;/tt&gt; (that enforces read only - see the &lt;tt&gt;virt.if&lt;/tt&gt; module interface file - &lt;tt&gt;read_blk_files_pattern&lt;/tt&gt;) instead of &lt;tt&gt;svirt_image_t&lt;/tt&gt; (that allows read/write - &lt;tt&gt;rw_blk_files_pattern&lt;/tt&gt;). <br /> <br /> The Virtual Machine Manager can be used to set the image as read only by checking the &lt;tt&gt;Readonly&lt;/tt&gt; box as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/21-Sharable.png Setting the image as Shareable or Readonly] screen. This will set the image (&lt;tt&gt;Test_VM1.xml&lt;/tt&gt;) resource XML configuration file located in the &lt;tt&gt;/etc/libvirt/qemu&lt;/tt&gt; directory &lt;tt&gt;&lt;disk&gt;&lt;/tt&gt; contents as follows:<br /> &lt;pre&gt;<br /> # /etc/libvirt/qemu/Test_VM1.xml:<br /> &lt;disk type='file' device='disk'&gt;<br /> &lt;driver name='qemu' type='raw'/&gt;<br /> &lt;source file='/var/lib/libvirt/images/Test_VM1.img'/&gt;<br /> &lt;target dev='hda' bus='ide'/&gt;<br /> &lt;readonly/&gt;<br /> &lt;/disk&gt;<br /> &lt;/pre&gt;<br /> <br /> As the two VMs will share the same image the &lt;tt&gt;Test_VM1&lt;/tt&gt; image needs to be cloned and its XML file &lt;tt&gt;&lt;disk&gt;&lt;/tt&gt; contents will be as follows:<br /> &lt;pre&gt;<br /> # /etc/libvirt/qemu/Test_VM1-clone.xml:<br /> &lt;disk type='file' device='disk'&gt;<br /> &lt;driver name='qemu' type='raw'/&gt;<br /> &lt;source file='/var/lib/libvirt/images/Test_VM1.img'/&gt;<br /> &lt;target dev='hda' bus='ide'/&gt;<br /> &lt;readonly/&gt;<br /> &lt;/disk&gt;<br /> &lt;/pre&gt;<br /> <br /> Now that the image has been configured as &lt;tt&gt;readonly&lt;/tt&gt;, the following initialisation process will take place:<br /> <br /> * An initial context for the process is obtained from the &lt;tt&gt;/etc/selinux/&lt;policy_name&gt;/contexts/virtual_domain_context&lt;/tt&gt; file (the default is &lt;tt&gt;system_u:system_r:svirt_t:s0&lt;/tt&gt;).<br /> * An initial context for the image file label is obtained from the &lt;tt&gt;/etc/selinux/&lt;policy_name&gt;/contexts/virtual_image_context&lt;/tt&gt; file. The default for read only images is &lt;tt&gt;system_u:system_r:virt_content_t:s0&lt;/tt&gt; as discussed above. <br /> * When the image is used to start the VM a random MCS level is generated and added to the process context (but not the image object). The process and image objects are then transitioned to the appropriate context by the&lt;tt&gt; libselinux&lt;/tt&gt; API calls &lt;tt&gt;setfilecon&lt;/tt&gt; and &lt;tt&gt;setexeccon&lt;/tt&gt; respectively. The following example shows each VM having the same file label but different process labels:<br /> <br /> <br /> {| border=&quot;1&quot;<br /> | '''VM'''<br /> | '''Object'''<br /> | '''Default security context '''<br /> <br /> |-<br /> | VM1<br /> | Process<br /> | &lt;tt&gt;system_u:system_r:svirt_t:s0:c103,c950&lt;/tt&gt;<br /> <br /> |-<br /> | VM1<br /> | File<br /> | &lt;tt&gt;system_u:system_r:virt_content_t:s0&lt;/tt&gt;<br /> <br /> |-<br /> | VM2<br /> | Process<br /> | &lt;tt&gt;system_u:system_r:svirt_t:s0:c312,c820&lt;/tt&gt;<br /> <br /> |-<br /> | VM1<br /> | File<br /> | &lt;tt&gt;system_u:system_r:virt_content_t:s0&lt;/tt&gt;<br /> <br /> |}<br /> <br /> <br /> The running image &lt;tt&gt;ls -Z&lt;/tt&gt; and &lt;tt&gt;ps -eZ&lt;/tt&gt; are as follows and for completeness an &lt;tt&gt;ls -Z&lt;/tt&gt; is shown when both VMs have been stopped:<br /> &lt;pre&gt;<br /> # Both VMs running and sharing same image as Test_VM1 was cloned:<br /> ls -Z /var/lib/libvirt/images<br /> system_u:object_r:virt_content_t:s0 Test_VM1.img<br /> <br /> ps -eZ | grep qemu<br /> system_u:system_r:svirt_t:s0:c103,c950 8756 ? 00:01:08 qemu<br /> system_u:system_r:svirt_t:s0:c312,c820 9246 ? 00:01:03 qemu<br /> <br /> # Both VMs stopped (note that the type remained as virt_content_t),<br /> # however if the disk type was reset to &lt;shared/&gt;, then it would be<br /> # reset back to virt_image_t:s0 once the VM was running again.<br /> ls -Z /var/lib/libvirt/images<br /> system_u:object_r:virt_content_t:s0 Test_VM1.img<br /> &lt;/pre&gt;<br /> <br /> <br /> === Static Labeling ===<br /> It is possible to set static labels on each image file, however a consequence of this is that the image cannot be cloned therefore an image for each VM will be required. This is the method used to configure VMs on MLS systems as there is a known label that would define the security level. With this method it is also possible to configure two or more VMs with the same security context so that they can share resources.<br /> <br /> If using the Virtual Machine Manager GUI, then by default it will start each VM running as they are built, therefore they need to be stopped and then configured for static labels and the image file will also need to be relabeled. An example VM configuration follows where the VM has been created as &lt;tt&gt;Static_VM1&lt;/tt&gt; using the F-12 &lt;tt&gt;targeted&lt;/tt&gt; policy in enforcing mode (just so all errors are flagged during the build):<br /> <br /> * Once the VM has been built, it will need to be stopped from the &lt;tt&gt;Static_VM1 Virtual Machine&lt;/tt&gt; screen. Display the &lt;tt&gt;Security&lt;/tt&gt; menu and select &lt;tt&gt;selinux&lt;/tt&gt; as the &lt;tt&gt;Model&lt;/tt&gt; and check the &lt;tt&gt;Static&lt;/tt&gt; check box. The required security context can then be set - for this example &lt;tt&gt;svirt_t&lt;/tt&gt; has been chosen as it is a valid context as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/22-Static.png Static Configuration] screen.<br /> <br /> This context will be written to the &lt;tt&gt;Static_VM1.xml&lt;/tt&gt; file in the &lt;tt&gt;/etc/libvirt/qemu&lt;/tt&gt; directory as follows:<br /> &lt;pre&gt;<br /> &lt;seclabel type='static' model='selinux'&gt;<br /> &lt;label&gt;system_u:system_r:svirt_t:s0:c1022.c1023&lt;/label&gt;<br /> &lt;/seclabel&gt;<br /> &lt;/pre&gt;<br /> <br /> * If the VM is now started an error will be shown as follows as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/23-image-start-error.png Image Start Error] screen.<br /> <br /> : This is because the image file label is incorrect as by default it is labeled &lt;tt&gt;virt_image_t&lt;/tt&gt; when the VM image is built (and &lt;tt&gt;svirt_t&lt;/tt&gt; does not have read/write permission for this label):<br /> &lt;pre&gt;<br /> # The default label of the image at build time:<br /> system_u:object_r:virt_image_t:s0 Static_VM1.img<br /> &lt;/pre&gt;<br /> <br /> There are a number of ways to fix this, such as adding an allow rule or changing the image file label. In this example the image file label will be changed using &lt;tt&gt;chcon&lt;/tt&gt; as follows:<br /> &lt;pre&gt;<br /> # This command is executed from /var/lib/libvirt/images<br /> #<br /> # This sets the correct type:<br /> chcon -t svirt_image_t Static_VM1.img<br /> &lt;/pre&gt;<br /> <br /> If required, the image can also be relabeled so that the &lt;tt&gt;[level]&lt;/tt&gt; is the same as the process using &lt;tt&gt;chcon&lt;/tt&gt; as follows:<br /> &lt;pre&gt;<br /> # This command is executed from /var/lib/libvirt/images<br /> #<br /> # Set the MCS label to match the process (optional step):<br /> chcon -l s0:c1022,c1023 Static_VM1.img<br /> &lt;/pre&gt;<br /> <br /> * Now that the image has been relabeled, the VM can now be started. <br /> <br /> The following example shows two VMs (the &lt;tt&gt;unconfined_t&lt;/tt&gt; configuration is discussed below):<br /> <br /> <br /> {| border=&quot;1&quot;<br /> | '''VM'''<br /> | '''Object'''<br /> | '''Static security context '''<br /> <br /> |-<br /> | VM1<br /> | Process<br /> | &lt;tt&gt;system_u:system_r:svirt_t:s0:c1022,c1023&lt;/tt&gt;<br /> <br /> |-<br /> | VM1<br /> | File<br /> | &lt;tt&gt;system_u:system_r:svirt_image_t:s0:c1022,c1023&lt;/tt&gt;<br /> <br /> |-<br /> | VM2<br /> | Process<br /> | &lt;tt&gt;system_u:system_r:unconfined_t:s0:c11,c22&lt;/tt&gt;<br /> <br /> |-<br /> | VM2<br /> | File<br /> | &lt;tt&gt;system_u:system_r:virt_image_t:s0&lt;/tt&gt;<br /> <br /> |}<br /> <br /> <br /> The running image &lt;tt&gt;ls -Z&lt;/tt&gt; and &lt;tt&gt;ps -eZ&lt;/tt&gt; are as follows, and for completeness an &lt;tt&gt;ls -Z&lt;/tt&gt; is shown when both VMs have been stopped:<br /> &lt;pre&gt;<br /> # Both VMs running:<br /> ls -Z /var/lib/libvirt/images<br /> system_u:object_r:svirt_image_t:s0:c1022,c1023 Static_VM1.img<br /> system_u:object_r:virt_image_t:s0:c11,c22 Static_VM2.img<br /> <br /> ps -eZ | grep qemu<br /> system_u:system_r:svirt_t:s0:c585,c813 6707 ? 00:00:45 qemu<br /> system_u:system_r:unconfined_t:s0:c11,c22 6796 ? 00:00:26 qemu<br /> <br /> # Both VMs stopped (note that Static_VM1.img was relabeled svirt_image_t to enable it to run, however Static_VM2.img is still labeled<br /> # virt_image_t and runs okay. This is because the process is run as unconfined_t that is allowed to use virt_image_t):<br /> <br /> system_u:object_r:svirt_image_t:s0:c1022,c1023 Static_VM1.img<br /> system_u:object_r:virt_image_t:s0 Static_VM2.img<br /> &lt;/pre&gt;<br /> <br /> ==== Configuring the unconfined_t image ====<br /> The objective of this section is to configure a VM domain that the targeted policy does not currently support. The domain chosen is &lt;tt&gt;unconfined_t&lt;/tt&gt; as that is the default for general users and requires a minimal additional policy module. The steps required to enable the VM are: <br /> <br /> * Using the Virtual Machine Manager, generate a VM (this has been called &lt;tt&gt;Static_VM2&lt;/tt&gt;).<br /> * Stop the VM and set a static context of &lt;tt&gt;system_u:system_r:unconfined_t:s0:c11,c22&lt;/tt&gt;. This context will be written to the &lt;tt&gt;Static_VM2.xml&lt;/tt&gt; file in the &lt;tt&gt;/etc/libvirt/qemu&lt;/tt&gt; directory as follows:<br /> &lt;pre&gt;<br /> &lt;seclabel type='static' model='selinux'&gt;<br /> &lt;label&gt;system_u:system_r:unconfined_t:s0:c11,c22&lt;/label&gt;<br /> &lt;/seclabel&gt;<br /> &lt;/pre&gt;<br /> <br /> * Before attempting to start the VM clear the audit log first so that a module can be generated with &lt;tt&gt;audit2allow&lt;/tt&gt; to allow the VM to start:<br /> &lt;pre&gt;<br /> &gt; /var/log/audit/audit.log<br /> &lt;/pre&gt;<br /> <br /> * Now if the VM is started the following [http://taiga.selinuxproject.org/~rhaines/diagrams/24-image-execution-error.png Image Execution Error] will be shown on the screen.<br /> <br /> This is because the &lt;tt&gt;libvirt&lt;/tt&gt; daemon does not have permission to transition the VM process to the &lt;tt&gt;unconfined_t&lt;/tt&gt; domain. The audit log AVC entry would be:<br /> &lt;pre&gt;<br /> type=AVC msg=audit(1271080140.988:30): avc: denied { transition } for pid=2000 comm=&quot;libvirtd&quot; path=&quot;/usr/bin/qemu&quot; dev=dm-0 ino=71778 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0:c11,c22 tclass=process<br /> <br /> type=SYSCALL msg=audit(1271080140.988:30): arch=40000003 syscall=11 success=no exit=-13 a0=b425c470 a1=b427f610 a2=b42a4a68 a3=0 items=0 ppid=1999 pid=2000 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=&quot;libvirtd&quot; exe=&quot;/usr/sbin/libvirtd&quot; subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)<br /> &lt;/pre&gt;<br /> <br /> * To generate a loadable module that will allow the transition use the following commands:<br /> &lt;pre&gt;<br /> # These cmds will generate an unconfinedvm.pp module package:<br /> <br /> cat /var/log/audit/audit.log | audit2allow -M unconfinedvm &gt; unconfinedvm.te<br /> <br /> # Once the package has been generated, it needs to be activated:<br /> semodule -i unconfinedvm.pp<br /> &lt;/pre&gt;<br /> <br /> * Once the module has been loaded and the policy rebuilt, the VM can now be started. For reference the module file generated by &lt;tt&gt;audit2allow&lt;/tt&gt; consists of the following:<br /> &lt;pre&gt;<br /> module unconfinedvm 1.0;<br /> <br /> require {<br /> type unconfined_t;<br /> type virtd_t;<br /> class process transition;<br /> }<br /> <br /> #============= virtd_t ==============<br /> allow virtd_t unconfined_t:process transition;<br /> &lt;/pre&gt;<br /> <br /> <br /> == Xen Support ==<br /> This is not supported by SELinux in the usual way as it is built into the actual Xen software as a 'Flask/TE' extension&lt;ref name=&quot;ftn31&quot;&gt;This is a version of the SELinux security server, avc etc. that has been specifically ported for the Xen implementation.&lt;/ref&gt; for the XSM (Xen Security Module). Also the Xen implementation has its own built-in policy (&lt;tt&gt;xen.te&lt;/tt&gt;) and supporting definitions for access vectors, security classes and initial SIDs for the policy. These Flask/TE components run in Domain 0 as part of the domain management and control supporting the Virtual Machine Monitor (VMM) as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/25-xen.png Xen Hypervisor] diagram. <br /> <br /> The &quot;[http://www.xen.org/files/Marketing/HowDoesXenWork.pdf How Does Xen Work]&quot; document describes the basic operation of Xen, the &quot;[http://www.xen.org/files/xensummit_4/xsm-summit-041707_Coker.pdf Xen Security Modules]&quot; document describes the XSM/Flask implementation, and the &lt;tt&gt;xsm-flask.txt&lt;/tt&gt; file in the Xen source package describes how SELinux and its supporting policy is implemented.<br /> <br /> However (just to confuse the issue), there is another Xen policy module (also called &lt;tt&gt;xen.te&lt;/tt&gt;) in the Reference Policy to support the management of images etc. via the Xen console.<br /> <br /> <br /> <br /> <br /> ----<br /> &lt;references/&gt;</div> Tue, 18 May 2010 14:30:30 GMT RichardHaines http://www.selinuxproject.org/page/Talk:NB_VM