Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Chapter 10. Security for virtualization

When deploying Red Hat Virtualization on your corporate infrastructure, you must ensure that the host( dom0 ) cannot be compromised. dom0 is the privileged domain that handles system management. If dom0 is insecure, all other domains in the system are vulnerable. There are several ways to enhance security on systems using Red Hat Virtualization. You or your organization should create a deployment plan containing the operating specifications and specifies which services are needed on your virtualized guests and host servers as well as what support is required for these services. Here are a few security issues to consider while developing a deployment plan:
  • Run only necessary services on hosts. The fewer processes and services running on the host, the higher the level of security and performance.
  • Enable SELinux on the hypervisor(dom0). Read Section 10.1, “SELinux and virtualization” for more information on using SELinux and virtualization.
  • Use a firewall to restrict traffic to dom0. You can setup a firewall with default-reject rules that will help secure attacks on dom0. It is also important to limit network facing services.
  • Do not allow normal users to access dom0. If you do permit normal users dom0 access, you run the risk of rendering dom0 vulnerable. Remember, dom0 is privileged, and granting unprivileged accounts may compromise the level of security.

10.1. SELinux and virtualization

Security Enhanced Linux was developed by the NSA with assistance from the Linux community to provide stronger security for Linux. SELinux limits an attackers abilities and works to prevent many common security exploits such as buffer overflow attacks and privilege escalation. It is because of these benefits that Red Hat recommends all Red Hat Enterprise Linux systems should run with SELinux enabled and in enforcing mode.
prevents Red Hat Virtualization images from loading if SELinux is enabled and the images are not in the correct directory. SELinux requires that all Red Hat Virtualization images are stored in /var/lib/xen/images.
Adding LVM based storage with SELinux in enforcing mode
The following section is an example of adding a logical volume to a virtualized guest with SELinux enabled. These instructions also work for hard drive partitions.
Procedure 10.1. Creating and mounting a logical volume on a virtualized guest with SELinux enabled
  1. Create a logical volume. This example creates a 5 gigabyte logical volume named NewVolumeName on the volume group named volumegroup .
    # lvcreate -n 
    NewVolumeName
     -L 
    5G
     
    volumegroup
    
    
  2. Format the NewVolumeName logical volume with a file system that supports extended attributes, such as ext3.
    # mke2fs -j 
    /dev/volumegroup/NewVolumeName
    
    
  3. Create a new directory for mounting the new logical volume. This directory can be anywhere on your file system. It is advised not to put it in important system directories (/etc, /var, /sys) or in home directories (/home or /root). This example uses a directory called /virtstorage
    # mkdir 
    /virtstorage
    
    
  4. Mount the logical volume.
    # mount 
    /dev/volumegroup/NewVolumeName
     
    /virtstorage
    
    
  5. Set the correct SELinux type for the folder.
    semanage fcontext -a -t xen_image_t "/virtualization(/.*)?
    
    If the targeted policy is used (targeted is the default policy) the command appends a line to the /etc/selinux/targeted/contexts/files/file_contexts.local file which makes the change persistent. The appended line may resemble this:
    /virtstorage(/.*)?    system_u:object_r:xen_image_t:s0
    
  6. Run the command to change the type of the mount point (/virtstorage) and all files under it to xen_image_t (restorecon and setfiles read the files in /etc/selinux/targeted/contexts/files/).
    # restorecon -R -v /virtualization
    

 
 
  Published under the terms of the GNU General Public License Design by Interspire