Building SELinux policy for VirtualBox

Support for security such as Firewalls and securing linux
Post Reply
shadowbox
Posts: 13
Joined: 2010/03/16 00:33:29

Building SELinux policy for VirtualBox

Post by shadowbox » 2011/12/29 07:03:32

I really like the pre-built SELinux policies for qemu and wish there was something similar for virtualbox, but I haven't been able to find anything. So it looks like I'll have to build my own. Anyone have any tips or a framework I can build from? I'm not looking for anything too fancy or complicated, I just want to run virtualbox relatively confined to the directories and functions it needs.

AndrewSerk
Posts: 60
Joined: 2010/11/21 03:41:16

Re: Building SELinux policy for VirtualBox

Post by AndrewSerk » 2011/12/30 22:30:09

Hello,
I haven't tested VirtualBox in a sandbox and it would depend on what you do with your vbox whether this is useful to you but have you looked into a sandbox for virtualbox . Sandbox is provided by the package policycoreutils-sandbox and has some prebuilt policy's you may find useful.

shadowbox
Posts: 13
Joined: 2010/03/16 00:33:29

Re: Building SELinux policy for VirtualBox

Post by shadowbox » 2012/02/02 04:27:17

Settings up a sandbox looks like it would be even more work than creating a custom policy, so I'm working on the policy. Question for the SE_Linux gurus out there. VirtualBox has a number of executable files, scripts, and .so files in a single directory /usr/lib/virtualbox. The main daemon VBoxSVC is also in this dir. Should I use selinux-polgen to create a policy for each executable with its own type, ie VBox_exec_t & VBoxSVC_exec_t & VBoxWhatever_exec_t or just lump them all together under a single exec_t type?

Second question is how should I write the context for this directory? Currently my VirtualBox.fc lists /usr/lib/virtualbox(/.*)? gen_context(system_u:object_r:VirtualBox_rw_t,s0) which gives the main virtualbox exec_t file read/write to that directory, but none of the files within are listed as exec_t type. The problem is that there are both executable files and non-executables in that dir, so I can't just label the whole thing one way. Do I have to change the .fc to list each file individually? Can I just list the exceptions and leave the general rw_t in place for the rest?

Post Reply