sVirt 0.10
----------

Note: this is experimental code for review purposes only.

Project page:
http://www.selinuxproject.org/page/SVirt


Instructions for building and running (SELinux+Fedora)
------------------------------------------------------

1) Install an updated Fedora development system.

2) Ensure SELinux is enabled and in enforcing mode.

3) Configure a simple qemu/kvm VM with the standard Fedora tools (e.g. 
   virt-manager).

4) Install libselinux-devel

5) Add to ~/.bashrc:

      export AUTOBUILD_INSTALL_ROOT=$HOME/builder

6) Check out the libvirt repository from upstream, and build the RPMs,
   installing development packages as necessary.  Do this by running
   "./autobuild" in the libvirt repo.  Once configured this way, you can
   manually run "make" and "make install" there as needed.

7) With the locally built code installed in AUTOBUILD_INSTALL_ROOT, launch
   libvirtd as root as follows (replace jmorris with your own username):
  

      #!/bin/sh
      BASE=/home/jmorris/builder
      LIBVIRTD=$BASE/sbin/libvirtd
      
      rm -fv $BASE/var/run/libvirtd.pid
      $LIBVIRTD $@


8) You should see this libvirt instance running unconfined:

      # ps -Z `cat /home/jmorris/builder/var/run/libvirtd.pid`
      LABEL                             PID TTY      STAT   TIME COMMAND
      unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 11747 pts/0 S+   0:00 /home/jmorris/builder/sbin/libvirtd


9) Commands such as "virsh dominfo" should indicate the label of the domain
   if it is running.  You'll need to ensure you're using the right virsh,
   
   e.g.:
   
       # /home/jmorris/builder/bin/virsh -c \
        /qemu+unix:///system?socket=/home/jmorris/builder/var/run/libvirt/libvirt-sock \
        dominfo sys1
        
   You may wish to disable the system libvirtd.    
     
   
   
10) To run the VM with a different SELinux label, edit the domain's XML
    configuration, with "virsh edit", and add the following:
    
       <seclabel model='selinux'>
           <label>system_u:system_r:virtd_t:s0</label>
           <policytype>targeted</policytype>
       </seclabel>
     
     
    before the closing </domain> tag.
    
11) If you run "virsh start", you'll probably get an AVC denial, as there is
    no policy to allow the transition.  You can generate this via "audit2why
    -M", or compile and load the provided svirtdev.te file:
    
      $ make -f /usr/share/selinux/devel/Makefile svirtdev.pp
      $ sudo semodule -i svirtdev.pp
    

    Now, when launching the domain, you should see the following AVC
    grant message (with the provided policy):
    
      avc:  granted  { transition } for  pid=11933 comm="libvirtd"
      path="/usr/bin/qemu-kvm" dev=dm-0 ino=14274514
      scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
      tcontext=system_u:system_r:virtd_t:s0 tclass=process
      
      
   This indicates that the domain was correctly launched with the desired
   security label.
   
     # pstree -Z `cat /home/jmorris/builder/var/run/libvirtd.pid`
       libvirtd(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')
       └─qemu-kvm(`system_u:system_r:virtd_t:s0')
         ├─{qemu-kvm}(`system_u:system_r:virtd_t:s0')
         └─{qemu-kvm}(`system_u:system_r:virtd_t:s0')

----