On Fri, Feb 27, 2009 at 03:37:55PM -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Another patch off latest repository. > > This patch does not require the XML to include a label, although this is > still supported. > > Implemented most of the comments from Jim. make check and make > syntax-check passes, Added seclabeltest.c to run in tests, Updated > capability.rng, although not really sure I did it right. > > This patch will generate random MCS Labels and relabels the image files > to match. Seems to work well on F11. > > I will back port some policy to allow it to work on F10. > > I think we need a mechanism in libvirtd.conf to turn this off. And > allow perhaps three modes. > > svirt=Disabled. No Security Driver. > svirt=MLS (Requires context in xml, no relabel of disks) > svirt=Standard, (If no XML label, then random generate one and reset > file context). > > How should I read config from libvirt.conf and and not enable he > SecurityModel? > > http://people.fedoraproject.org/~dwalsh/SELinux/svirt.patch I have finally applied this patch. I broke it up into a series of 7 patches across the different functional areas, to make it easier to bisect individual changes, so I applied it in the following pieces - Public API definitions - Internal driver API glue - Remote protocol API & glue - Core security driver infrastructure - Virsh additions for dominfo - SElinux security driver - QEMU integration with security driver I made a couple of small changes along the way... - virSecurityDriverStartup() takes a driver name, so HV drivers can explicitly configure which sec driver they want, overriding the default probed order. 'none' disables it completely - /etc/libvirt/qemu.conf gains a security_driver='XXX' config param accepting 'none' or 'selinux' to choose drivers. If not set it will probe for a driver, thus defaulting to SELinux if availab.e - Fixed the RNG schema for capabilities & domain XML format additions - Added a configure.in check for selinux_virtual_domain_context_path() and selinux_virtual_image_context_path() and make it disable the SELinux driver if these aren't found. These functions are new on F11, so we don't want to break build on RHEL-5 & earlier Fedora. I still think we need one further tweak to the XML. We have the ability to turn on / off of the security driver in QEMU, but I think we need better support for the automatic label generation. The current logic is doing - If <seclabel> is element in the XML, use that - Else generate a seclabel when starting a VM The trouble is when you then query the XML for a guest, you have no way of telling whether the <seclabel> is showing a generated one, or a predefined one. And if you dump and then reload the XML, your VM that used to be using a generated label, now gets fixed to that current label forever. This has caused us a great deal of pain in the past with generated VNC ports, and generated TAP device names. So I think we need to add an XML attribute to explicitly note that the label is generated eg, add type="static|dynamic" to <seclabel> ... <seclabel model='selinux' type="static"> <label>system_u:system_r:qemu_t:s0:c210.c502</label> </seclabel> Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list