Ce contenu n'est pas disponible dans la langue sélectionnée.
4.4. sVirt Labeling
Like other services under the protection of SELinux, sVirt uses process-based mechanisms, labels, and restrictions to provide extra security and control over guest instances. Labels are applied automatically to resources on the system based on the currently running virtual machines (dynamic), but can also be manually specified by the administrator (static), to meet any specific requirements that may exist.
To edit the sVirt label of a guest, use the
virsh edit guest_name
command and add or edit <seclabel> elements as described in the sections below. <seclabel> can be used as a root element for the entire guest, or it can be specified as a sub-element of the <source> element for selecting a specific sVirt label of the given device.
For comprehensive information about the <seclabel> element, see the libvirt upstream documentation.
4.4.1. Types of sVirt Labels
The following table outlines the different sVirt labels that can be assigned to resources such as virtual machine processes, image files and shared content:
Type | SELinux Context | Description/Effect |
---|---|---|
Virtual Machine Processes | system_u:system_r:svirt_t:MCS1 | MCS1 is a randomly selected field. Currently approximately 500,000 labels are supported. |
Virtual Machine Image | system_u:object_r:svirt_image_t:MCS1 | Only svirt_t processes with the same MCS1 fields are able to read/write these image files and devices. |
Virtual Machine Shared Read/Write Content | system_u:object_r:svirt_image_t:s0 | All svirt_t processes are allowed to write to the svirt_image_t:s0 files and devices. |
Virtual Machine Shared Shared Read Only content | system_u:object_r:svirt_content_t:s0 | All svirt_t processes are able to read files/devices with this label. |
Virtual Machine Image | system_u:object_r:virt_content_t:s0 | System default label used when an image exits. No svirt_t virtual processes are allowed to read files/devices with this label. |
4.4.2. Dynamic Configuration
Dynamic label configuration is the default labeling option when using sVirt with SELinux. See the following example which demonstrates dynamic labeling:
# ps -eZ | grep qemu-kvm
system_u:system_r:svirt_t:s0:c87,c520 27950 ? 00:00:17 qemu-kvm
In this example, the
qemu-kvm
process has a base label of system_u:system_r:svirt_t:s0
. The libvirt system has generated a unique MCS label of c87,c520
for this process. The base label and the MCS label are combined to form the complete security label for the process. Likewise, libvirt takes the same MCS label and base label to form the image label. This image label is then automatically applied to all host files that the VM is required to access, such as disk images, disk devices, PCI devices, USB devices, and kernel/initrd files. Each process is isolated from other virtual machines with different labels.
The following example shows the virtual machine's unique security label (with a corresponding MCS label of
c87,c520
in this case) as applied to the guest disk image file in /var/lib/libvirt/images
:
# ls -lZ /var/lib/libvirt/images/*
system_u:object_r:svirt_image_t:s0:c87,c520 image1
The following example shows dynamic labeling in the XML configuration for the guest:
<seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c87,c520</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c87,c520</imagelabel> </seclabel>
4.4.3. Dynamic Configuration with Base Labeling
To override the default base security label in dynamic mode, the
<baselabel>
option can be configured manually in the XML guest configuration, as shown in this example:
<seclabel type='dynamic' model='selinux' relabel='yes'> <baselabel>system_u:system_r:svirt_custom_t:s0</baselabel> <label>system_u:system_r:svirt_custom_t:s0:c87,c520</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c87,c520</imagelabel> </seclabel>
4.4.4. Static Configuration with Dynamic Resource Labeling
Some applications require full control over the generation of security labels but still require libvirt to take care of resource labeling. The following guest XML configuration demonstrates an example of static configuration with dynamic resource labeling:
<seclabel type='static' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_custom_t:s0:c87,c520</label> </seclabel>
4.4.5. Static Configuration without Resource Labeling
Primarily used in multi-level security (MLS) and other strictly controlled environments, static configuration without resource relabeling is possible. Static labels allow the administrator to select a specific label, including the MCS/MLS field, for a virtual machine. Administrators who run statically-labeled virtual machines are responsible for setting the correct label on the image files. The virtual machine will always be started with that label, and the sVirt system will never modify the label of a statically-labelled virtual machine's content. The following guest XML configuration demonstrates an example of this scenario:
<seclabel type='static' model='selinux' relabel='no'> <label>system_u:system_r:svirt_custom_t:s0:c87,c520</label> </seclabel>
4.4.6. sVirt Labeling and NFS
To use sVirt labeling on a NFSv4.1 or NFSv4.2 file system, you need to change the SELinux context to
virt_var_lib_t
for the root of the NFS directory that you are exporting for guest sharing. For example, if you are exporting the /exports/nfs/
directory, use the following commands:
#semanage fcontext -a -t virt_var_lib_t '/exports/nfs/'
#restorecon -Rv /exports/nfs/
In addition, when
libvirt
dynamically generates an sVirt label for a guest virtual machines on a NFS volume, it only guarantees label uniqueness within a single host. This means that if a high number of guests across multiple hosts share a NFS volume, it is possible for duplicate labels to occur, which creates a potential vulnerability.
To avoid this situation, do one of the following:
- Use a different NFS volume for each virtualization host. In addition, when performing guest migration, copy the guest storage by using the
--migrate-disks
and--copy-storage-all
options. - When creating a new guest with the
virt-install
command, set a static label for the guest by:- Using the
--security
option. For example:#
virt-install --name guest1-rhel7 --memory 2048 --vcpus 2 --disk size=8 --cdrom /home/username/Downloads/rhel-workstation-7.4-x86_64-dvd.iso --os-variant rhel7 --security model=selinux,label='system_u:object_r:svirt_image_t:s0:c100,c200'
This sets the security label for all disks on the guest. - Using the
--disk
option with theseclabel
parameter. For example:#
virt-install --name guest1-rhel7 --memory 2048 --vcpus 2 --disk /path/to/disk.img,seclabel.model=selinux,seclabel.label='system_u:object_r:svirt_image_t:s0:c100,c200' --cdrom /home/username/Downloads/rhel-workstation-7.4-x86_64-dvd.iso --os-variant rhel7
This sets the security label only on the specified disks.