On Sat, Jul 04, 2009 at 12:13:47PM -0400, Gene Czarcinski wrote: > 1. I am not sure what should be done with real devices such as /dev/sr0. sVirt does not distinguish based on device type, rather it goes off the disk mode. Exclusive Read/write disks get a label with an mcs level specific to the guest, Read/write shared get a label with an mcs level of 0, and read-only disks get a label system_u:object_r:svirt_image_t:s0 which allows read access. > 2. For files on read-only file systems, don't do anything ... they are protected > about as much as they can be. As has been mentioned in the bug you raised several days ago, this issue should already be addressed https://bugzilla.redhat.com/show_bug.cgi?id=507555 > 4. For ISO files, maybe there should be a new/special file context which allows > sharing between processes ... it would be explicit but it would allow sharing > ... maybe something like "public_content_t". There is already a label for read only guest images system_u:object_r:svirt_image_t:s0 it shouldn't be much work for you to add a custom SELinux plugin that gives httpd_t access to content labelled svirt_image_t. Ask the fedora-selinux mailing list for assistance if needed > 5. Maybe implement a switch which disables SELinux enforcing (and does not > change the file context of ISO files) for Fedora-virtualization. Already present /etc/libvirt/qemu.conf , change security_driver="none" > 6. Maybe the switch should be by guest. Easy enough to add - file a bug if you want this capability. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
