On Fri, May 20, 2011 at 02:48:23PM -0400, Corey Bryant wrote: > sVirt provides SELinux MAC isolation for Qemu guest processes and their > corresponding resources (image files). sVirt provides this support > by labeling guests and resources with security labels that are stored > in file system extended attributes. Some file systems, such as NFS, do > not support the extended attribute security namespace, which is needed > for image file isolation when using the sVirt SELinux security driver > in libvirt.
This will also allow libvirt to run QEMU confined by the Linux container functionality. In particular it lets us use CLONE_NEWNS flag to isolate its root filesystem, without having to worry about setting up passthrough mounts for each disk image it needs to access, which is a real pain when it comes to hotplug. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
