Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX 5 - VIRTUALIZATION GUIDE
141142143144145146147148149150
Chapter 17. sVirt
136
17.1. Security and Virtualization
When services are not virtualized, machines are physically separated. Any exploit is usually contained
to the affected machine, with the obvious exception of network attacks. When services are grouped
together in a virtualized environment, extra vulnerabilities emerge in the system. If there is a security
flaw in the hypervisor that can be exploited by a guest instance, this guest may be able to not only
attack the host, but also other guests running on that host. This is not theoretical; attacks already exist
on hypervisors. These attacks can extend beyond the guest instance and could expose other guests
to attack.
sVirt is an effort to isolate guests and limit their ability to launch further attacks if exploited. This is
demonstrated in the following image, where an attack can not break out of the virtualized guest and
extend to another host instance:
SELinux introduces a pluggable security framework for virtualized instances in its implementation
of Mandatory Access Control (MAC). The sVirt framework allows guests and their resources to be
uniquely labeled. Once labeled, rules can be applied which can reject access between different
guests.
17.2. sVirt labeling
Like other services under the protection of SELinux, sVirt uses process-based mechanisms and
restrictions to provide an extra layer of security over guest instances. Under typical use, you should
not even notice that sVirt is working in the background. This section describes the labeling features of
sVirt.
As shown in the following output, when using sVirt, each virtualized guest process is labeled and runs
with a dynamically generated level. Each process is isolated from other VMs with different levels:
# ps -eZ | grep qemu
system_u:system_r:svirt_t:s0:c87,c520 27950 ? 00:00:17 qemu-kvm
system_u:system_r:svirt_t:s0:c639,c757 27989 ? 00:00:06 qemu-system-x86
The actual disk images are automatically labeled to match the processes, as shown in the following
output:
# ls -lZ /var/lib/libvirt/images/*