On Mon, Jun 27, 2011 at 10:07:23AM -0600, Eric Blake wrote: > On 06/27/2011 06:20 AM, Daniel P. Berrange wrote: > > Normally the dynamic labelling mode will always use a base > > label of 'svirt_t' for VMs. Introduce a <baselabel> field > > in the <seclabel> XML to allow this base label to be changed > > > > eg > > > > <seclabel type='dynamic' model='selinux'> > > <baselabel>system_u:object_r:virt_t:s0</baselabel> > > </seclabel> > > > > * docs/schemas/domain.rng: Add <baselabel> > > * src/conf/domain_conf.c, src/conf/domain_conf.h: Parsing > > of base label > > * src/qemu/qemu_process.c: Don't reset 'model' attribute if > > a base label is specified > > * src/security/security_apparmor.c: Refuse to support base label > > * src/security/security_selinux.c: Use 'baselabel' when generating > > label, if available > > The code looks okay, but this missed the RC1 freeze. Is this something > we need in 0.9.3 for a bug-fix, or should it wait until after the > release as a feature addition? It isn't critical for 0.9.3, and I have more SELinux additions pending, so I'll wait until after 0.9.3 Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list