sVirt and KVM
-
sVirt is the application of SELinux against virtualization. In RHEL 7 and up, SELinux contexts are added to each KVM virtual machine to ensure separation from host and other guests. Here's an output from my machine (running Fedora 24):
[jhooks@z420fedora ~]$ ps -efZ | grep svirt system_u:system_r:svirt_t:s0:c102,c768 qemu 2221 1 93 08:41 ? 00:00:04 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Jenkins system_u:system_r:svirt_t:s0:c50,c877 qemu 2259 1 89 08:41 ? 00:00:01 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name AnsibleEach machine receives the
svirt_tcontext type and a different MCS (Multi Category Security) label. From the output above Jenkins has c102 & c768 while Ansible has c50 & c877.The same is true for the disk images:
[jhooks@z420fedora VMs]$ ls -Z system_u:object_r:svirt_image_t:s0:c50,c877 Ansible.qcow2 system_u:object_r:svirt_image_t:s0:c102,c768 jenkins.qcow2Both disk images have matching MCS labels and svirt context types.
Libvirt takes care of auto assigning the MCS labels automatically when the guest is started. If you run the guest without libvirt using qemu directly, this is not the case.
When the guests are shut down the disks go back to their normal labeling:
[jhooks@z420fedora VMs]$ ls -Z unconfined_u:object_r:virt_content_t:s0 Ansible.qcow2 unconfined_u:object_r:virt_content_t:s0 jenkins.qcow2 -
Good information, always like to see more about selinux.
