[CentOS-virt] OpenVZ and SELinux?

Mon Oct 15 21:07:26 UTC 2007
Daniel de Kok <daniel at centos.org>

On Mon, 2007-10-15 at 16:18 -0400, Scott Dowdle wrote:
>  I'm not trying to bash SELinux, but I have to wonder what percentage of
>  CentOS/RHEL/Fedora users have SELinux on to begin with?  I'd like to
>  use it myself, but I just haven't gotten around to it... nor have I
>  made it a priority. :(
> 
>  The vast majority of Linux distributions do not include SELinux and
>  ARE being deployed with net-facing daemons.  One has to decide if it
>  is an acceptable risk.  For me it is... knock on wood.

It's a matter or diving in it, just like we all had to dive into
UNIX/Linux once. I can really recommend "SELinux by example" for getting
into SELinux.

>  I do appreciate you bringing up the point though.  It would be one of
>  the advantages of Xen over OpenVZ.  With both, there are a number of
>  advantages and disadvantages that must be considered.

Agreed.

>  I'm not saying it could never happen because anything is possible.  As
>  you may know there was a Xen vulnerability reported recently where a
>  grub configuration line could allow access to the hypervisor from the
>  guest (or something like that).

That was a vulnerability in pygrub. Just for clarity's sake: pygrub runs
in dom0, and is used to retrieve the kernel and initrd images from the
domU machine being booted based on its GRUB configuration (this is
needed to bootstrap the VM). It was not a vulnerability where some
program can break out of a domU and do stuff in dom0.

Doing such a thing is far easier when the virtual machine is running
under the same kernel as the host.


>  While I'd like to see CentOS sanctioned OpenVZ packages, I have to ask
>  just how many people have third-party packages on their system?  I use
>  DAG quite a bit. 

For that exact reason we advise people to use the yum-priorities plugin.
It prevents that the package manager replaces CentOS packages with
packages from a third-party repo.

>  I'd really like to see the CentOS team adopt OpenVZ and add it to the
>  Addons or Extras repo (which would be more appropriate) but I'm not sure
>  if they would be interested.

I think we'd be interested in including OS-level virtualization as an
option when:

- There are patches for the kernel versions that CentOS uses, and it 
  doesn't change the kernel too much besides implementing that 
  technology (so that it is easy to maintain it for future kernel 
  updates).
- It is feasible to support it for a few years on the kernels that
  CentOS uses, and someone is willing to maintain it for such
  periods.
- The solution should be stable, secure, and performant.
- The solution allows system administrators to keep on SELinux on the 
  host system, and not restrict SELinux usage on guest systems.

Remember that we potentially have to support new additions for years,
ideally until 2014 for CentOS 5. If someone thinks one solution can
fulfill these requirements, please feel free to discuss it on this list.

>  I made the mistake of asking a kernel question in the #centos IRC
>  channel... and when I revealed that I was running an OpenVZ kernel...
>  I wasn't kicked but I was sternly told that it would be off topic and
>  not tolerated. :(

We can't support what we don't provide, and you would be amazed how
often people ask questions on #centos about stuff that we don't
provide ;).

-- Daniel