Re: [PATCH 3/3] Add documentation for the seclabel XML element

Eric Blake <eblake@xxxxxxxxxx> · Mon, 27 Jun 2011 10:19:37 -0600

On 06/27/2011 06:20 AM, Daniel P. Berrange wrote:
> The domain XML documentation is missing information about the
> <seclabel> element used by security drivers
> 
> * formatdomain.html.in: Document <seclabel>
> ---
>  docs/formatdomain.html.in |   76 +++++++++++++++++++++++++++++++++++++++++++++
>  1 files changed, 76 insertions(+), 0 deletions(-)

Oh, this covers part of my complaint in both 1/3 and 2/3.

If we decide to defer those patches until post-0.9.3, then there is
still a good chunk of this patch which should be applied now.

> 
> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> index 3a64983..c1ea480 100644
> --- a/docs/formatdomain.html.in
> +++ b/docs/formatdomain.html.in
> @@ -2614,6 +2614,82 @@ qemu-kvm -net nic,model=? /dev/null
>        </dd>
>      </dl>
>  
> +    <h3><a name="seclabel">Security label</a></h3>
> +
> +    <p>
> +      The <code>seclabel</code> element allows control over the
> +      operation of the security drivers. There are two basic
> +      modes of operation, dynamic where libvirt automatically
> +      generates a unique security label, or static where the
> +      application/administrator chooses the labels. With dynamic
> +      label generation, libvirt will always automatically
> +      relabel any resources associated with the virtual machine.
> +      With static label assignment, by default, the administrator
> +      or application must ensure labels are set correctly on any
> +      resources, however, automatic relabelling can be enabled

s/relabelling/relabeling/ if we are going to favor US spellings in
public-facing documentation

> +      if desired
> +    </p>
> +
> +    <p>
> +      Valid input XML configurations for the security label
> +      are:
> +    </p>
> +
> +    <pre>
> +  &lt;seclabel type='dynamic' model='selinux'/&gt;
> +
> +  &lt;seclabel type='dynamic' model='selinux'&gt;
> +    &lt;baselabel&gt;system_u:system_r:my_svirt_t:s0&lt;/baselabel&gt;
> +  &lt;/seclabel&gt;

For example, up to here is useful to be applied now...

> +
> +  &lt;seclabel type='static' model='selinux' relabel='no'&gt;
> +    &lt;label&gt;system_u:system_r:svirt_t:s0:c392,c662&lt;/label&gt;
> +  &lt;/seclabel&gt;

...while this depends on the rest of the series.

-- 
Eric Blake   eblake@xxxxxxxxxx    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

Attachment:
signature.asc

Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list