On Thu, 11 Dec 2008, Daniel P. Berrange wrote: > > * a virNodeInfo is a structure filled by virNodeGetInfo() and providing > > @@ -504,6 +567,10 @@ int virDomainSetMaxMemory (virDomainPtr domain, > > int virDomainSetMemory (virDomainPtr domain, > > unsigned long memory); > > int virDomainGetMaxVcpus (virDomainPtr domain); > > +int virDomainGetSecLabel (virDomainPtr domain, > > + virDomainSecLabelPtr seclabel); > > +int virDomainGetSecModel (virDomainPtr domain, > > + virDomainSecModelPtr secmodel); > > I'm leaning two ways on this. On the one hand I could see the > virDomainGetSecModel being done against the node to match the > fact that we record it in the node capabilities XML, so perhaps > virNodeGetSecurityModel(virConnectPtr). Actually, this is a call to get the node information, so I think the name should be changed. > On the other hand, we already have this info against the node, Which came from the above call. > and conceivably you could have a domain configured with a model > that doesn't match the node's model, so an explicit per-domain > call is right. In that scenario, could we just put the security > model data into the security label struct and have a single API The domain doesn't have a security label until it's running, and then it must match the node's model, so I'm not sure we need to change anything except the name of virDomainGetSecModel (to virNodeGetSecurityMode). - James -- James Morris <jmorris@xxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
