Arch Linux

testtube

Member

Registered: 2015-11-23

Posts: 11

What to use to secure libvirt on arch (MAC)? (official kernels, grsec)

my complaint about arch has been that the official kernels have not selinux nor apparmor enable.

the most important user app I have to secure on a system is always libvirt. I have almost no use for MACs except to secure libvirt.

libvirt integrates well with both apparmor and selinux so it can be locked down anywhere...

... except on arch.

because of this I turn to other distribs as VM hosts. linux-grsec is too nice to give up, and I refuse to recompile a kernel that updates twice a week.

I know there is a linux-selinux in AUR but it's from userland (compared to vetted selinux in fedora) and I don't want to give up linux-grsec, major reason to use arch. it only miss a MAC integrated with libvirt.

so what to use to MAC-up libvirt, with per-VM profiles? is it worth running it through grsec RBAC learning (linux-grsec only)? can it produce reusable per-vm profiles?

I notice Tomoyo is enable in the linux-grsec kernel but never hear of anything use it.

what did I miss (in any of the official kernels or in linux-grsec only)?

Last edited by testtube (2015-11-28 17:34:47)

testtube

Member

Registered: 2015-11-23

Posts: 11

Re: What to use to secure libvirt on arch (MAC)? (official kernels, grsec)

I think I put this in wrong section

Lone_Wolf

Administrator

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 14,851

Re: What to use to secure libvirt on arch (MAC)? (official kernels, grsec)

You can use the report button to ask a moderator to move this thread to another sub-board.

Reading your post it seems to me you want to focus on securing libvirt while using linux-grsec kernel from [community] .
If so, that should be reflected in the title.

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

ewaller

Administrator

From: Pasadena, CA

Registered: 2009-07-13

Posts: 20,601

Re: What to use to secure libvirt on arch (MAC)? (official kernels, grsec)

Moving to Networking, Server and Protection as suggested.

---

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
The shortest way to ruin a country is to give power to demagogues.— Dionysius of Halicarnassus
---
How to Ask Questions the Smart Way

testtube

Member

Registered: 2015-11-23

Posts: 11

Re: What to use to secure libvirt on arch (MAC)? (official kernels, grsec)

ok thanks I did that

the question applies to all the non-AUR kernels https://wiki.archlinux.org/index.php/Ke … l_packages (except for the part about grsec RBAC and Tomoyo since they are not in non-grsec kernels)

@ewaller thanks

edit: ok this is better

Last edited by testtube (2015-11-28 17:23:12)

testtube

Member

Registered: 2015-11-23

Posts: 11

Re: What to use to secure libvirt on arch (MAC)? (official kernels, grsec)

had to do this on my own, as usual. in case anyone cares, the solution I settled was to use grsecurity RBAC with a permissive base profile (that grsecurity will not help you make because it's not intended), and have each libvirt VM execute a different copy of the qemu emulator, each path having its own own RBAC subject and ACLs, full inherited. still not perfect isolation, some unnecessary resource overlap.

qemu/libvirt supports chroot but can't use because grsec kernel options to make chroot secure interfere with other systems like LXC.

didn't try tomoyo because no one use it and more AUR.

the best solution would be apparmor (or future version of apparmor when better network filter comes) but arch doesn't include it and doesn't build libvirt with apparmor support, so forces to recompile the whole kernel + apparmor from AUR + libvirt. better install gentoo or just use debian.

RBAC is good enough after heavy configure, but arch supports no real appropriate solution.