On Fri, Aug 29, 2008 at 08:46:35AM +0200, Daniel Veillard wrote: > On Fri, Aug 29, 2008 at 06:00:36AM +0100, Daniel P. Berrange wrote: > > On Fri, Aug 29, 2008 at 01:32:27PM +1000, James Morris wrote: > > > I'd suggest we implement a new label element to avoid breaking > > > compatibility and to avoid potential confusion with other types of device > > > labels (e.g. as you might see via /dev/disk/by-label). > > > > > > So, how about the following: > > > > > > <seclabel> > > > > > > <model> > > > > > > <!-- model-specific elements in here, to be handled by > > > named security driver, in this case "selinux" --> > > > <selinux> > > > <type>targeted</type> > > > </selinux> > > > > I'd rather not have security model specific XML element names if > > practical. We've tried to keep to a naming that is conceptually > > generic, even if it only has 1 implementation. > > right in general we have been using element names for specifying the > concepts and attributes values to explain the specifics. > > > > > > </model> > > > > > > <value>system_u:object_r:virt_image_t:s0</value> > > > > Since the interpretation of the 'value' element's contents > > depends on the type of security model, I think the type > > is better designated on the parent 'seclabel' element. > > > > > > > > </seclabel> > > > > Would this be sufficient... > > > > <seclabel model='selinux'> > > <policy>targeted</policy> > > <value>system_u:object_r:virt_image_t:s0</value> > > </seclabel> > > that looks more homogeneous. i don't know hos that would map to > other security models, examples would be great I've just had a read of the Xen user guide on their ACM security module http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf It kicks off around page 55 In that example a domain is labeled along the lines of 'ACM:mytest:A-Bank' where 'ACM' is the security model, 'mytest' is the policy name, and 'A-Bank' is the seclabel value. Disk files have the same breakdown. This would map quite easily to <seclabel model='acm'> <policy>mytest</policy> <value>A-Bank</value> </seclabel> Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list