Hi everyone, so there was an idea about limiting the relabelling of images that libvirt does. And I'm taking the liberty of pitching my idea how to approach this. I feel like it's pretty simple thing and there's not much to talk about, but a) I could've missed something and b) you might hate the way I approach it. The idea is to extend the seclabel XML, for example: <seclabel type='dynamic' model='dac' relabel='whitelist'> <path>/var/lib/libvirt/images</path> <path>/data/virt-stuff</path> </seclabel> Either we allow 'relabel' to be set to 'whitelist' or add a new attribute with a name like 'mode' or something, which will control how we relabel the files (actually relabel='no' can mean 'whitelist' and relabel='yes' can mean blacklist without adding anything there). After that you can specify what paths are (dis)allowed to be labelled. Actually thinking about it I like the following the most: <seclabel type='dynamic' model='dac' relabel='no'> <whitelist path='/data'/> <blacklist path='/data/private/non-virt/stuff'/> </seclabel> which I believe is pretty explanatory. Feel free to ask if it's not. And let me know what you think. And have a nice day!!! Martin
Attachment:
signature.asc
Description: Digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list