sVirt and KVM
stacksofplates last edited by stacksofplates
sVirt is the application of SELinux against virtualization. In RHEL 7 and up, SELinux contexts are added to each KVM virtual machine to ensure separation from host and other guests. Here's an output from my machine (running Fedora 24):
[[email protected] ~]$ ps -efZ | grep svirt system_u:system_r:svirt_t:s0:c102,c768 qemu 2221 1 93 08:41 ? 00:00:04 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Jenkins system_u:system_r:svirt_t:s0:c50,c877 qemu 2259 1 89 08:41 ? 00:00:01 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Ansible
Each machine receives the
svirt_tcontext type and a different MCS (Multi Category Security) label. From the output above Jenkins has c102 & c768 while Ansible has c50 & c877.
The same is true for the disk images:
[[email protected] VMs]$ ls -Z system_u:object_r:svirt_image_t:s0:c50,c877 Ansible.qcow2 system_u:object_r:svirt_image_t:s0:c102,c768 jenkins.qcow2
Both disk images have matching MCS labels and svirt context types.
Libvirt takes care of auto assigning the MCS labels automatically when the guest is started. If you run the guest without libvirt using qemu directly, this is not the case.
When the guests are shut down the disks go back to their normal labeling:
[[email protected] VMs]$ ls -Z unconfined_u:object_r:virt_content_t:s0 Ansible.qcow2 unconfined_u:object_r:virt_content_t:s0 jenkins.qcow2
travisdh1 last edited by travisdh1
Good information, always like to see more about selinux.