Re: [PATCH] dynamic_ownership documentation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/04/2011 09:35 AM, Daniel P. Berrange wrote:
>> +# A static assignment of SELinux labels imply that the administrator
>> +# manually configures the SELinux label of the virtual machine in
>> +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example:
>> +#
>> +#  <seclabel model='selinux' type="static">
>> +#    <label>system_u:system_r:qemu_t:s0:c210.c502</label>
>> +#  </seclabel>

>> +# dynamic_ownership: 0 == static assignment of SELinux labels
>> +#                    1 == dynamic assignment of SELinux labels
>> +dynamic_ownership=1
>> +#
> 
> This is not what the dynamic_ownership parameter does - it actually
> has nothing todo with SELinux / sVirt.  This determines whether
> libvirt will set the user/group DAC ownership on the disk images
> to match the uid/gid the QEMU process runs under.

While Daniel's point is correct, that dynamic_ownership in the conf file
(affecting DAC) is different than dynamic SELinux labels in the XML
(affecting SELinux), it may still be worth updating the
dynamic_ownership documentation to mention how the XML can additionally
affects access.

> 
> Whether libvirt uses static or dynamic SELinux labels is entirely
> controlled by the guest XML config. This is explained a little bit
> in this webpage:
> 
>    http://libvirt.org/drvqemu.html#securitysvirt
> 
> though you might wish to improve the wording a little more (the web
> pages are stored in the docs/ directory of GIT.

Agreed that the web pages could also be improved.

-- 
Eric Blake   eblake@xxxxxxxxxx    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]