On Tue, Jun 28, 2011 at 07:29:28AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/27/2011 08:20 AM, Daniel P. Berrange wrote:
> > This patch series adds two new features
> >
> > - The ability to override 'system_u:system_r:svirt_t:s0' from
> > /etc/selinux/targeted/contexts/virtual_domain_context using
> > the guest XML
> > - The ability to use dynamic relabelling of resources, in combo
> > with static VM label assignment.
> >
> > The latter is useful for management applications which want to
> > be in full control of assigning VM labels (so that they can be
> > unique across an entire cluster of hosts for example), while
> > still benefiting from automatic relabelling of resources in the
> > XML.
> >
> I think you might want to be a little more flexible with this. I see
> where you would want 4 ways of doing this.
We already do options 1 and 3. These two patches I post let us also
support options 2 and 4, so I think we're sorted.
> Dynamic with /etc/selinux/targeted/contexts/virtual_domain_context
<seclabel type='dynamic'/>
> Dynamic with alternate TYPE, Meaning I could specify
> system_u:system_r:svirt_apache_t:s0 and then libvirt would select a MCS
> label for this context and launch
> system_u:system_r:svirt_apache_t:s0:c1,c257
<seclabel type='dynamic'>
<baselabel>system_u:system_r:svirt_apache_t:s0</baselabel>
</seclabel>
> Static with no relabel.
<seclabel type='static' relabel='no'>
<label>system_u:system_r:svirt_apache_t:s0:c1,c257</label>
</seclabel>
> Static with relabel.
<seclabel type='static' relabel='yes'>
<label>system_u:system_r:svirt_apache_t:s0:c1,c257</label>
</seclabel>
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list