sVirt and KVM

  • sVirt is the application of SELinux against virtualization. In RHEL 7 and up, SELinux contexts are added to each KVM virtual machine to ensure separation from host and other guests. Here's an output from my machine (running Fedora 24):

    [[email protected] ~]$ ps -efZ | grep svirt
    system_u:system_r:svirt_t:s0:c102,c768 qemu 2221   1 93 08:41 ?        00:00:04 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Jenkins
    system_u:system_r:svirt_t:s0:c50,c877 qemu 2259    1 89 08:41 ?        00:00:01 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Ansible

    Each machine receives the svirt_t context type and a different MCS (Multi Category Security) label. From the output above Jenkins has c102 & c768 while Ansible has c50 & c877.

    The same is true for the disk images:

    [[email protected] VMs]$ ls -Z
    system_u:object_r:svirt_image_t:s0:c50,c877 Ansible.qcow2
    system_u:object_r:svirt_image_t:s0:c102,c768 jenkins.qcow2

    Both disk images have matching MCS labels and svirt context types.

    Libvirt takes care of auto assigning the MCS labels automatically when the guest is started. If you run the guest without libvirt using qemu directly, this is not the case.

    When the guests are shut down the disks go back to their normal labeling:

    [[email protected] VMs]$ ls -Z
    unconfined_u:object_r:virt_content_t:s0 Ansible.qcow2
    unconfined_u:object_r:virt_content_t:s0 jenkins.qcow2

  • Good information, always like to see more about selinux.