On 03/04/2011 09:35 AM, Daniel P. Berrange wrote: >> +# A static assignment of SELinux labels imply that the administrator >> +# manually configures the SELinux label of the virtual machine in >> +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example: >> +# >> +# <seclabel model='selinux' type="static"> >> +# <label>system_u:system_r:qemu_t:s0:c210.c502</label> >> +# </seclabel> >> +# dynamic_ownership: 0 == static assignment of SELinux labels >> +# 1 == dynamic assignment of SELinux labels >> +dynamic_ownership=1 >> +# > > This is not what the dynamic_ownership parameter does - it actually > has nothing todo with SELinux / sVirt. This determines whether > libvirt will set the user/group DAC ownership on the disk images > to match the uid/gid the QEMU process runs under. While Daniel's point is correct, that dynamic_ownership in the conf file (affecting DAC) is different than dynamic SELinux labels in the XML (affecting SELinux), it may still be worth updating the dynamic_ownership documentation to mention how the XML can additionally affects access. > > Whether libvirt uses static or dynamic SELinux labels is entirely > controlled by the guest XML config. This is explained a little bit > in this webpage: > > http://libvirt.org/drvqemu.html#securitysvirt > > though you might wish to improve the wording a little more (the web > pages are stored in the docs/ directory of GIT. Agreed that the web pages could also be improved. -- Eric Blake eblake@xxxxxxxxxx +1-801-349-2682 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list