Printing runtime DAC seclabel in the XML

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm looking in the code to see why runtime VM dac seclabel values aren't
printed in the active XML. They are filled in, but the domain XML formatter
explicitly skips it:

    /* To avoid backward compatibility issues, suppress DAC and 'none' labels
     * that are automatically generated.
     */
    if ((STREQ_NULLABLE(def->model, "dac") ||
         STREQ_NULLABLE(def->model, "none")) && def->implicit)
        return;

The relevant bit is from here:

commit 990e46c4542349f838e001d30638872576c389e9
Author: Marcelo Cerri <mhcerri@xxxxxxxxxxxxxxxxxx>
Date:   Fri Aug 31 13:40:41 2012 +0200

    conf: Avoid formatting auto-generated DAC labels

And I think comment elsewhere in domain_conf.c explains what that's all about:

    /* libvirt versions prior to 0.10.0 support just a single seclabel element
     * in guest's XML and model attribute can be suppressed if type is none or
     * type is dynamic, baselabel is not defined and INACTIVE flag is set.
     *
     * To avoid compatibility issues, for this specific case the first model
     * defined in host's capabilities is used as model for the seclabel.
     */

Just dropping the the model == "dac" check above seems to accomplish what I'm
after, but it's not strictly back compatible. That said, libvirt has supported
multiple seclabels for a loooong time now, so I wonder do we even care? Do we
have a target for how far back we try to maintain XML compat? Or does anyone
else have other ideas?

(ccing jiri and michal who have had patches in this area)

Thanks,
Cole

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]