Product SiteDocumentation Site

Fedora 19

Virtualization Security Guide

Virtualization Documentation

Edition 0.2

Red Hat Engineering Content Services

Legal Notice

Copyright © 2013 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
For guidelines on the permitted uses of the Fedora trademarks, refer to
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
All other trademarks are the property of their respective owners.
This guide provides an overview of virtualization security technologies provided by Fedora, and provides recommendations for securing hosts, guests, and shared infrastructure and resources in virtualized environments.

1. Document Conventions
1.1. Typographic Conventions
1.2. Pull-quote Conventions
1.3. Notes and Warnings
2. We Need Feedback!
1. Introduction
1.1. Virtualized and Non-Virtualized Environments
1.2. Why Virtualization Security Matters
1.3. Three Way Model
1.4. Leveraging SELinux with sVirt
2. Host Security
2.1. Why Host Security Matters
2.2. Host Security Best Practices for Fedora
2.2.1. Special Considerations for Public Cloud Operators
3. Guest Security
3.1. Why Guest Security Matters
3.2. Guest Security Best Practices
4. sVirt
4.1. Introduction
4.2. SELinux and Mandatory Access Control (MAC)
4.3. sVirt Configuration
4.4. sVirt Labeling
4.4.1. Types of sVirt Labels
4.4.2. Dynamic Configuration
4.4.3. Dynamic Configuration with Base Labeling
4.4.4. Static Configuration with Dynamic Resource Labeling
4.4.5. Static Configuration without Resource Labeling
5. Network Security in a Virtualized Environment
5.1. Network Security Overview
5.2. Network Security Best Practices
5.2.1. Securing Connectivity to Spice
5.2.2. Securing Connectivity to Storage
6. Further Information
6.1. Contributors
6.2. Other Resources
A. Revision History