Re: [libvirt-sandbox][PATCH] Docs: Fix security options wrongs in man page

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Mar 15, 2013 at 06:29:05PM +0800, Alex Jia wrote:
> 
> Signed-off-by: Alex Jia <ajia@xxxxxxxxxx>
> ---
>  bin/virt-sandbox.c |   14 ++++++++++----
>  1 files changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c
> index 69d1e62..66676c3 100644
> --- a/bin/virt-sandbox.c
> +++ b/bin/virt-sandbox.c
> @@ -372,13 +372,19 @@ separated by commas. The following options are valid for SELinux
>  
>  =over 4
>  
> -=item type=TYPE
> +=item dynamic
>  
> -The SELinux security type, defaults to sandbox_t
> +The SELinux security dynamic for the sandbox, defaults to svirt_sandbox_t

I'd word this as

  Dynamically allocate an SELinux label, using the default
  base context. The default base context is .... for LXC,
  ..... for KVM and .... for QEMU.

The defaults are seen here

        else if (gvir_config_domain_get_virt_type(domain) ==
                 GVIR_CONFIG_DOMAIN_VIRT_LXC)
            gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_lxc_net_t:s0");
        else if (gvir_config_domain_get_virt_type(domain) ==
                 GVIR_CONFIG_DOMAIN_VIRT_QEMU)
            gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_tcg_t:s0");
        else if (gvir_config_domain_get_virt_type(domain) ==
                 GVIR_CONFIG_DOMAIN_VIRT_KVM)
            gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_t:s0");



> -=item level=LEVEL
> +=item dynamic,label=USER:ROLE:TYPE:LEVEL
>  
> -The SELinux MCS level, defaults to a randomly allocated level
> +To use dynamic and override the base label, defaults to
> +system_u:system_r:svirt_t:s0

I'd simplify this to

 Dynamically allocate an SELinux label, using the base
 context USER:ROLE:TYPE:LEVEL, instead of the default
 base context.

> +
> +=item static,label=USER:ROLE:TYPE:LEVEL
> +
> +To set a completely static label. For example,
> +static,label=system_u:system_r:svirt_t:s0:c412,c355


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]