On Wed, Mar 09, 2011 at 11:38:23AM +0100, Stephan Mueller wrote: > Am Freitag, 4. MÃrz 2011, um 17:35:03 schrieb Daniel P. Berrange: > > > +# A static assignment of SELinux labels imply that the administrator > > > +# manually configures the SELinux label of the virtual machine in > > > +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example: > > > +# > > > +# <seclabel model='selinux' type="static"> > > > +# <label>system_u:system_r:qemu_t:s0:c210.c502</label> > > > +# </seclabel> > > > +# > > > +# The <label> tag specifies a full SELinux label the virtual machine > > > +# will be executed with. > > > +# > > > +# In addition to the setting of the SELinux label of the virtual > > > +# machine, the administrator must manually set the SELinux label > > > +# of all resources the virtual machine accesses appropriately. > > > +# > > > +# NOTE: The dynamic assignment of categories is only intended for > > > +# systems with the targeted SELinux policy. Systems with the MLS > > > +# SELinux policy MUST use the static assignment of labels. > > > +# It is possible that static assignment is configured for > > > +# systems with the targeted policy as well. > > > +# > > > +# dynamic_ownership: 0 == static assignment of SELinux labels > > > +# 1 == dynamic assignment of SELinux labels > > > +dynamic_ownership=1 > > > +# > > > > This is not what the dynamic_ownership parameter does - it actually > > has nothing todo with SELinux / sVirt. This determines whether > > libvirt will set the user/group DAC ownership on the disk images > > to match the uid/gid the QEMU process runs under. > > > I see. Thanks for the clarification. > > > Whether libvirt uses static or dynamic SELinux labels is entirely > > controlled by the guest XML config. This is explained a little bit > > in this webpage: > > > > http://libvirt.org/drvqemu.html#securitysvirt > > > > though you might wish to improve the wording a little more (the web > > pages are stored in the docs/ directory of GIT. > > This statement there is not fully clear. Can you please briefly state how do > you switch between dynamic and static labeling. As you sort of mentioned above, when defining a new guest XML, if you don't include any <seclabel> element in the XML, then the VM uses dynamic labelling. Also if you have <seclabel type='dynamic'/> then it'll do dynamic labelling. Only if you explicitly include the full XML like <seclabel model='selinux' type="static"> <label>system_u:system_r:qemu_t:s0:c210.c502</label> </seclabel> will static labelling be used. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list