[CentOS-virt] OpenVZ and SELinux?

Daniel de Kok daniel at centos.org
Tue Oct 16 07:48:55 UTC 2007 

On Mon, 2007-10-15 at 18:36 -0400, Scott Dowdle wrote:
>  Understood... that is a logical assumption... but also take into
>  account that OpenVZ (including and its commercial sibling, SWsoft's
>  Virtuozzo) has been deployed by tens of thousands of users and is the
>  #2 virtualization technology in use today... according to the OpenVZ
>  project manager.  I don't have any hard data I can point you to to
>  prove that but that is my understanding.  #1 would be VMware of
>  course.  My point is that it has been tested, audited, and revised
>  over its history with regards to security... but it is obviously and
>  ongoing process.

That doesn't really matter. Even if OpenVZ was proven to be exactly
correct, it is still used as a part of the kernel, which every now and
then has vulnerabilities.

> > - The solution allows system administrators to keep on SELinux on the
> >   host system, and not restrict SELinux usage on guest systems.
> 
>  I'm not sure if there is a technical reason that OpenVZ won't work
>  with SELinux.  I'm guessing that it is like so many other third-party
>  packages that say to turn off SELinux... simply because they want to
>  avoid the support complexity of figuring out how to make it work and
>  writing policies.

I see more obstacles: how would you modify/add policy from a virtual
machine, without affecting that of other VMs or the host machine? What
about security context collisions between virtual machines?

>  As long as SWsoft has Virtuozzo customers using RHEL4 and RHEL5, I'm
>  assuming it will be supported by them and also available in OpenVZ but
>  I don't think I can find anything in writing that promises that. 

We need to be sure that patches can be maintained for a longer period.
So, ideally a maintainer of such packages has understanding of the
code/patches. In the worst case, the maintainer could update patches to
ensure that it continues to work with our kernels.

>  I think OS Virtualization / Containers will be less of an issue with
>  upcoming major releases as I'm very sure that container features will
>  be a stock part of the mainline kernel by that time.  In fact, Andrew
>  Morton says in his kernel speeches that the only thing he can predict
>  that is coming over the next year or two is container features... but
>  who knows how that will pan out?

I guess that we have to wait and see :).

-- Daniel

More information about the CentOS-virt mailing list