From SELinux Wiki
(Difference between revisions)
|Revision as of 00:24, 16 December 2008 (edit)
JamesMorris (Talk | contribs)
← Previous diff
|Revision as of 00:37, 16 December 2008 (edit) (undo)
JamesMorris (Talk | contribs)
Next diff →
|Line 7:||Line 7:|
|* Convert existing storage labeling||* Convert existing storage labeling|
|* MCS dynamic labeling for simple isolation||* MCS dynamic labeling for simple isolation|
|+||* Make virsh nodeinfo show security model|
|==== (via feedback from v0.20) ====||==== (via feedback from v0.20) ====|
Revision as of 00:37, 16 December 2008
sVirt To Do List
- Fix SELinux build configuration
- Convert existing storage labeling
- MCS dynamic labeling for simple isolation
- Make virsh nodeinfo show security model
(via feedback from v0.20)
Move security model/doi to last fields in virsh dominfo
Change virDomainSecLabel -> virSecurityLabel
Change virDomainSecModel -> virSecurityModel
- Use CHECK_LIB/HEADER to detect libselinux (and fix build system in general)
- Rename virDomainGetSecModel to virNodeGetSecurityModel
- Integrate model into SecurityLabel (in case node config differs) ?
- Change -2 error returns to -1.
- Use remoteDispatchOOMError() for OOM errors.
- Use virXPathStringLimit() vs. virDomainSecLabelDefParseXMLString().
- Move libvirt symbols to public API before merge.
- Identify which tools and related docs need to be made sVirt-aware
- Security review by KVM and core virt folk
- Review overall policy to ensure e.g. all command-line tools catered for, things like memory peek don't breach design etc.
- Policy for save/dump/restore
- Integration with GUI tools (virt-manager etc.)
- General OS integration
- Basic storage labeling support (investigate labeling for non-image devices, e.g. mapping UUID, HAL etc.)
- Possibly include context-mount labeling of NFS bind mounts for remote images
- Have domains run in separate directories to allow persistent labeling of resources (e.g. at rest, use MCS c0). (Check with danpb to see what the plans are here)
- Find owner for Fedora (dwalsh or danpb ?) and add to feature wiki
- Investigate generator.py for new API calls
- Make autostart work properly
- Policy for /dev/kvm (and similar)
- Policy for control sockets, virtual console, vnc access, shared devices, parent/child communications etc.
- Placement and policy for VM log files
- Debug integration with audit subsystem
- Add testcases to libvirt test framework
- Handle qemud restart
- Integration with oVirt ?
- libvirtd config: require enforcing mode option ?
- Do we need MAC policy for defining and undefining domains?
- Support for session mode (not just system mode)
- Integrate with RBAC/UBAC ?
- Make DOI configurable
- Migrate isolated domains between security models
- Deployment of labeled appliances via virt-image etc.
- Migration of labeled domains
- Integration with virtual firewalling
- Integration with Labeled Networking/IPSec/Labeled NFS (e.g. use of overlay VPNs for networks on host)
- Extensive device labeling support
- Labeling for all kinds of devices
- Boot from network storage
- Strong binding of resources to domains, via e.g. crypto, TPM, vTPM etc.
- Support virtualization in policy generation wizard
- Support for other security models (SMACK)