On Mon, 2010-06-07 at 10:30 +0100, Daniel P. Berrange wrote:
> On Fri, Jun 04, 2010 at 04:32:25PM -0400, Daniel J Walsh wrote:
> > On 06/04/2010 11:43 AM, Christopher J. PeBenito wrote:
> > >On Fri, 2010-06-04 at 10:53 -0400, Daniel J Walsh wrote:
> > >>On 06/04/2010 09:52 AM, Christopher J. PeBenito wrote:
> > >>>On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
> > >>>>http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
> > >>>>
> > >>>>tun_tap_device is an mls trusted object
> > >>>
> > >>>Why? This seems wrong to me.
> > >
> > >>I think virtual machines at different levels need to talk to this device.
> > >
> > >But there are several of these devices. Making it trusted means that
> > >theres no separation between the networks, which seems contrary to what
> > >a MLS system would want. More likely, the MLS label needs to be changed
> > >as needed.
> > >
> > I think the kernel will take care of the isolation.
> >
> > Eric Dan, Is tuntap device per qemu instance?
>
> Yes, every guest NIC gets associated with its own TAP device. libvirtd
> opens /dev/net/tun. This creates a new tap devices 'vnet0', 'vnet1',
> 'vnet2' etc. The file descriptor for each NIC's tap device is passed to
> the QEMU process when it starts, or using SCM_RIGHTS for NIC hotplug
> to an existing QEMU.
This is my exact point. You're trusting libvirtd to handle all that
correctly. Nothing stops qemu from using the wrong device. This just
reinforces my thinking that it is _not_ a trusted device.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com