Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX 5 - VIRTUALIZATION GUIDE
141142143144145146147148149150
sVirt labeling
137
system_u:object_r:svirt_image_t:s0:c87,c520 image1
The following table outlines the different labels that can be assigned when using sVirt:
Table 17.1. sVirt labels
Type SELinux Context Description
Virtualized guest processes system_u:system_r:svirt_t:MCS1 MCS1 is a randomly
selected MCS field. Currently
approximately 500,000 labels
are supported.
Virtualized guest images system_u:object_r:svirt_image_t:MCS1Only svirt_t processes with the
same MCS fields are able to
read/write these image files
and devices.
Virtualized guest shared read/
write content
system_u:object_r:svirt_image_t:s0All svirt_t processes are
allowed to write to the
svirt_image_t:s0 files and
devices.
Virtualized guest shared read
only content
system_u:object_r:svirt_content_t:s0All svirt_t processes are able
to read files/devices with this
label.
Virtualized guest images system_u:object_r:virt_content_t:s0System default label used
when an image exits. No svirt_t
virtual processes are allowed
to read files/devices with this
label.
It is also possible to perform static labeling when using sVirt. Static labels allow the administrator to
select a specific label, including the MCS/MLS field, for a virtualized guest. Administrators who run
statically-labeled virtualized guests are responsible for setting the correct label on the image files.
The virtualized guest will always be started with that label, and the sVirt system will never modify the
label of a statically-labeled virtual machine's content. This allows the sVirt component to run in an MLS
environment. You can also run multiple virtualized guests with different sensitivity levels on a system,
depending on your requirements.