[libvirt] [PATCH 0/3] Improve flexibility of SELinux labelling

Daniel J Walsh dwalsh at redhat.com
Tue Jun 28 12:55:15 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/28/2011 08:23 AM, Daniel P. Berrange wrote:
> On Tue, Jun 28, 2011 at 07:29:28AM -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 06/27/2011 08:20 AM, Daniel P. Berrange wrote:
>>> This patch series adds two new features
>>>
>>>  - The ability to override 'system_u:system_r:svirt_t:s0' from
>>>    /etc/selinux/targeted/contexts/virtual_domain_context using
>>>    the guest XML
>>>  - The ability to use dynamic relabelling of resources, in combo
>>>    with static VM label assignment.
>>>
>>> The latter is useful for management applications which want to
>>> be in full control of assigning VM labels (so that they can be
>>> unique across an entire cluster of hosts for example), while
>>> still benefiting from automatic relabelling of resources in the
>>> XML.
>>>
>> I think you might want to be a little more flexible with this.  I see
>> where you would want 4 ways of doing this.
> 
> We already do options 1 and 3. These two patches I post let us also
> support options 2 and 4, so I think we're sorted.
> 
>> Dynamic with  /etc/selinux/targeted/contexts/virtual_domain_context
> 
>   <seclabel type='dynamic'/>
> 
>> Dynamic with alternate TYPE, Meaning I could specify
>> system_u:system_r:svirt_apache_t:s0 and then libvirt would select a MCS
>> label for this context and launch
>> system_u:system_r:svirt_apache_t:s0:c1,c257
> 
>    <seclabel type='dynamic'>
>      <baselabel>system_u:system_r:svirt_apache_t:s0</baselabel>
>    </seclabel>
> 
>> Static with no relabel.
> 
>    <seclabel type='static' relabel='no'>
>      <label>system_u:system_r:svirt_apache_t:s0:c1,c257</label>
>    </seclabel>
> 
>> Static with relabel.
> 
>    <seclabel type='static' relabel='yes'>
>      <label>system_u:system_r:svirt_apache_t:s0:c1,c257</label>
>    </seclabel>
> 
> Regards,
> Daniel
Great thanks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4JzzMACgkQrlYvE4MpobOlQQCgl14dE0FPEWwNUW+YdsF6dV4w
w8oAoJLvSuGlJuc6T7avEUyz1JyzfnG9
=QKcR
-----END PGP SIGNATURE-----

More information about the libvir-list mailing list