From: domg472@gmail.com (Dominick Grift)
Date: Tue, 27 Jul 2010 18:27:58 +0200
Subject: [refpolicy] qemu context
In-Reply-To: <4C4F04E0.2000500@gmail.com>
References: <4C4EDF53.9030001@gmail.com>
	<20100727155149.GA10237@localhost.localdomain>
	<4C4F04E0.2000500@gmail.com>
Message-ID: <20100727162757.GC10237@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Jul 27, 2010 at 09:10:08AM -0700, Justin P. Mattock wrote:
> On 07/27/2010 08:51 AM, Dominick Grift wrote:
> >On Tue, Jul 27, 2010 at 06:29:55AM -0700, Justin P. Mattock wrote:
> >>hello,
> >>
> >>probably can just post on iirc for a faster response..but decided
> >>to e-mail instead.. Anyways I've qemu finally running
> >>after some time of not using it and wanted to know what/where
> >>might I look too get info on the file labels for this.
> >>
> >>right now i've an .img in my home directory(not in var/lib/*)
> >>the context is
> >>ls -lZ name:name name:object_r:virt_image_t:s0 *.img
> >>
> >>is this seem correct?
> >
> >In fedora there is a qemu_image_t type for qemu images.
> >
> 
> cool thanks for the response..
> was looking at some wikis and stuff I'll have todo some more reading
> on this.
> 
> from what I see so far libvirt plays an important role(I think) but
> still need to look into it.
> 
> So far my setup, is a simple build of qemu-kvm, added the udev rule
> so I dont run as root,and my *.img is in the home directory(still
> debating if I need libvirt).
> 
> main concern is making the virtual os confined so if it gets
> exploited(sorry winxp) my main system is not touched or exploited(if
> it ever gets to that point)
> 

if you use kvm its indeed virt_image_t. Readhat distros also have svirt which uses mcs to seperate guests.

> Justin P. Mattock
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100727/3e0bda8c/attachment.bin