sVirt and shared disk
Daniel J Walsh
dwalsh at redhat.com
Thu Aug 27 14:41:30 UTC 2015
On 08/27/2015 03:37 AM, Luc de Louw wrote:
> Hi there,
>
> Quoting https://libvirt.org/drvqemu.html
>
> "Disks that are marked as <shared> will get a generic label
> system_u:system_r:svirt_image_t:s0 allowing all guests read/write
> access them"
>
> The problem now is that the shared disks can potentially being
> accessed by other VMs which is not really nice.
>
> Is it safe to remove the shared parameter in the libvirt config and
> use static labeling instead?
>
> Thanks,
>
> Luc
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>From an SELinux point of view, it should work. As long as the label is
svirt_image_t:s0, SELinux will not prevent any processes running as
svirt_t (guests qemu processes) from reading and writing the content.
More information about the selinux
mailing list