Features/SVirt Mandatory Access Control

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(first cut at this page)
 
(How To Test)
 
(16 intermediate revisions by 5 users not shown)
Line 10: Line 10:
  
 
* Targeted release: [[Releases/11|Fedora 11]]
 
* Targeted release: [[Releases/11|Fedora 11]]
* Last updated: 2009-01-30
+
* Last updated: 2009-03-4
* Percentage of completion: 30%
+
* Percentage of completion: 100%
  
=== TODO ===
+
=== Completed ===
  
* See sVirt [http://selinuxproject.org/page/SVirt/TODO TODO list]
+
The core support in libvirt 0.6.1, and SELinux policy & tools is now available in rawhide. Changes to virt-manager are not required, since libvirt automatically assigns unique security labels to all guests.
* Merge the patch into upstream libvirt, release and package in Fedora
+
* Policy
+
* Label assignment in virt-manager?
+
 
+
=== Completed ===
+
  
 
* Initial announcement and [http://www.redhat.com/archives/libvir-list/2008-August/thread.html#00255 subsequent discussion] (August 2008)
 
* Initial announcement and [http://www.redhat.com/archives/libvir-list/2008-August/thread.html#00255 subsequent discussion] (August 2008)
* See latest (v0.30) [http://namei.org/svirt/svirt-0.30/libvirt.patch libvirt patch], [http://namei.org/svirt/svirt-0.30/readme.txt readme] and [http://namei.org/svirt/svirt-0.30/changelog.txt changelog]
+
* See latest [http://namei.org/svirt/svirt-0.30/readme.txt readme]
 +
* See sVirt [http://selinuxproject.org/page/SVirt/TODO TODO list]
 +
* Merge the patch into upstream libvirt, release and package in Fedora [DONE]
 +
* Policy [DONE]
 +
* sVirt available in libvirt 0.6.1 http://www.redhat.com/archives/libvir-list/2009-March/msg00144.html
  
 
== Detailed Description ==
 
== Detailed Description ==
Line 45: Line 44:
 
== Scope ==
 
== Scope ==
  
The work primarily involves modifications to libvirt, but also virt-manager, SELinux policy and, perhaps, QEMU.
+
The work primarily involves modifications to libvirt, SELinux policy and, libselinux.
 +
 
 +
Future work will be done on virt-manager and python-virtinst to allow static setting of the labels.
  
 
== How To Test ==
 
== How To Test ==
 +
Make sure the virtual machines are running with a categorized context.
 +
 +
If you had a virtual machine named F11
 +
For example <code>system_u:system_r:svirt_t:s0:c344,c902</code>
 +
 +
* If it is running as <code>system_u:system_r:qemu_t:s0</code> or some other context then sVirt is not working.
 +
 +
<code>ps -eZ | grep qemu</code>.
 +
 +
* The image file for the qemu should be labeled similarly
 +
 +
<code>ls -lZ /var/lib/libvirt/images/F11.img</code>
 +
 +
Should show a context like the following.
 +
 +
<code>system_u:object_r:svirt_image_t:s0:c344,c902</code>
 +
 +
* To make sure SELinux is blocking illegal access you can change the context on the image
 +
 +
<code>chcon -l s0:c1  /var/lib/libvirt/images/F11.img</code>
 +
 +
Now the running image will start to blow up with a permission denied and generate an avc indicating
 +
<code>system_u:system_r:svirt_t:s0:c344,c902 tried to write to system_u:object_r:svirt_image_t:s0:c1</code>
 +
 +
* See also http://www.redhat.com/archives/libvir-list/2009-March/msg00134.html
 +
 +
 +
I would like to see insertion of CDROM devices, USB Other forms of devices and make sure they are labeled correctly.
 +
 +
Make sure you can stop and start a service.
 +
 +
Check cloning and saving to a /var/lib/libvirt/images directory.
  
 
== User Experience ==
 
== User Experience ==
 +
 +
Theoretically the user should not experience anything.  This should just happen automatically and the virtual machines should just work.
 +
 +
The user will be able to configure whether or not he wants isolated virtual machines.
  
 
== Dependencies ==
 
== Dependencies ==
 +
 +
svirt depends on updates to libvirt, selinux-policy, libselinux.
  
 
== Contingency Plan ==
 
== Contingency Plan ==
 +
 +
The goal is to get all the plumbing for svirt to work in F11, but the GUI for managing the environment might not be ready. 
 +
 +
Dynamic labeling is now completed.  In the future we want to allow static labeling where libvirt will just label the processes
 +
with a static label given to it from the virt-manager/virsh.  This functionality could then be used by MLS environments that would
 +
like to run their virtual machines at a single level.
  
 
== Documentation ==
 
== Documentation ==
Line 69: Line 114:
  
 
* See [[Talk:Features/SVirt Mandatory Access Control]]
 
* See [[Talk:Features/SVirt Mandatory Access Control]]
 
----
 
  
 
[[Category:Virtualization|SVirt Mandatory Access Control]]
 
[[Category:Virtualization|SVirt Mandatory Access Control]]
 +
[[Category:F11 Virt Features|SVirt Mandatory Access Control]]
  
[[Category:FeaturePageIncomplete]]
+
[[Category:FeatureAcceptedF11]]
<!-- Category:FeatureReadyForWrangler -->
+

Latest revision as of 15:47, 12 June 2009

Contents

[edit] Summary

sVirt integrates SELinux with the Fedora virtualization stack to allow Mandatory Access Control (MAC) security be applied to guest virtual machines. Amongst other things, this prevents a security bug in the hypervisor from allowing guests to attack the host or one another.

[edit] Owner

[edit] Current status

  • Targeted release: Fedora 11
  • Last updated: 2009-03-4
  • Percentage of completion: 100%

[edit] Completed

The core support in libvirt 0.6.1, and SELinux policy & tools is now available in rawhide. Changes to virt-manager are not required, since libvirt automatically assigns unique security labels to all guests.

[edit] Detailed Description

Before virtualization, machines were physically separated. Any security exploit is reasonably well contained to the affected machine, with the obvious exception of network attacks.

With virtualization, a security flaw in the hypervisor may be exploited by a guest and allow the guest to attack the host, or even other guests running on that host. Hypervisors are complex pieces of code, so hypervisor vulnerabilities are far from a theoretical concern.

sVirt is an effort started by James Morris which aims to isolate guests using MAC security policy (i.e. SELinux). It introduces a pluggable security framework to libvirt and a SELinux implementation.

The sVirt framework allows guests and their resources to be uniquely labelled. Once labelled, rules can be applied which reject accesses between different guests.

[edit] Benefit to Fedora

The strong security policy enforcement provided by SELinux means that Fedora systems are well protected from malicious attempts to exploit security flaws.

sVirt brings that same benefit to Fedora's virtualization support. Integration of MAC will help increase the overall robustness and security assurance of Fedora host systems.

sVirt is a foray into an emerging field of security research. By adopting this work, Fedora will continue to lead the way in providing fully integrated security solutions and virtualization support.

[edit] Scope

The work primarily involves modifications to libvirt, SELinux policy and, libselinux.

Future work will be done on virt-manager and python-virtinst to allow static setting of the labels.

[edit] How To Test

Make sure the virtual machines are running with a categorized context.

If you had a virtual machine named F11 For example system_u:system_r:svirt_t:s0:c344,c902

  • If it is running as system_u:system_r:qemu_t:s0 or some other context then sVirt is not working.

ps -eZ | grep qemu.

  • The image file for the qemu should be labeled similarly

ls -lZ /var/lib/libvirt/images/F11.img

Should show a context like the following.

system_u:object_r:svirt_image_t:s0:c344,c902

  • To make sure SELinux is blocking illegal access you can change the context on the image

chcon -l s0:c1 /var/lib/libvirt/images/F11.img

Now the running image will start to blow up with a permission denied and generate an avc indicating system_u:system_r:svirt_t:s0:c344,c902 tried to write to system_u:object_r:svirt_image_t:s0:c1


I would like to see insertion of CDROM devices, USB Other forms of devices and make sure they are labeled correctly.

Make sure you can stop and start a service.

Check cloning and saving to a /var/lib/libvirt/images directory.

[edit] User Experience

Theoretically the user should not experience anything. This should just happen automatically and the virtual machines should just work.

The user will be able to configure whether or not he wants isolated virtual machines.

[edit] Dependencies

svirt depends on updates to libvirt, selinux-policy, libselinux.

[edit] Contingency Plan

The goal is to get all the plumbing for svirt to work in F11, but the GUI for managing the environment might not be ready.

Dynamic labeling is now completed. In the future we want to allow static labeling where libvirt will just label the processes with a static label given to it from the virt-manager/virsh. This functionality could then be used by MLS environments that would like to run their virtual machines at a single level.

[edit] Documentation

[edit] Release Notes

Fedora 11 integrates SELinux's Mandatory Access Control with Virtualization. Virtual machines can now be much more effectively isolated from the host and one another, giving the increased assurance that security flaws cannot be exploited by malicious guests.

[edit] Comments and Discussion