On 01/12/2011 10:23 AM, Cole Robinson wrote: > This will help facilitate disabling seclabel for an individual VM. One > functional change is that the user can now hardcode type='dynamic', but > there was no good reason to deny it anyways. > > Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx> > --- > src/conf/domain_conf.c | 34 ++++++++++---------- > src/security/security_apparmor.c | 6 ++-- > src/security/security_selinux.c | 6 ++-- > .../qemuxml2xml-seclabel-dynamic-out.xml | 1 + > 4 files changed, 24 insertions(+), 23 deletions(-) Hmm, the domain.rng states that attribute model is <text/> rather than limiting it to a <choice> between selinux/apparmor (as currently supported) or even <choice> selinux/apparmor/none (per your enum in patch 5/7, as used in patch 7/7). That might be an independently useful thing to clean up, to tighten the .rng to match the possible valid values. And maybe 5/7 has a use after all (but with cleanups to avoid issues with model='default' and to omit model='none'). Given your commit message, I see what you are getting at - the current xml parsing does not reject <seclabel type='dynamic' model='bogus'> for a defined but inactive domain. At which point this code motion makes sense, to always validate model to match the list of allowed enum values. But it could use domain.rng tightening, and docs/formatdomain.html.in doesn't even mention seclabel, so we'd probably want that in first. And then there's the question of whether to go with patch 5/7 as a prereq to this, or whether you should rewrite the code motion in terms of the state things were in before 5/7. I guess this means it is worth a v2, if you think it is still worth keeping this patch in the series. -- Eric Blake eblake@xxxxxxxxxx +1-801-349-2682 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list