[libvirt] [PATCH 1/3] Allow a base label to be specified in dynamic labelling mode
Daniel P. Berrange
berrange at redhat.com
Tue Jun 28 17:23:01 UTC 2011
On Mon, Jun 27, 2011 at 10:07:23AM -0600, Eric Blake wrote:
> On 06/27/2011 06:20 AM, Daniel P. Berrange wrote:
> > Normally the dynamic labelling mode will always use a base
> > label of 'svirt_t' for VMs. Introduce a <baselabel> field
> > in the <seclabel> XML to allow this base label to be changed
> >
> > eg
> >
> > <seclabel type='dynamic' model='selinux'>
> > <baselabel>system_u:object_r:virt_t:s0</baselabel>
> > </seclabel>
> >
> > * docs/schemas/domain.rng: Add <baselabel>
> > * src/conf/domain_conf.c, src/conf/domain_conf.h: Parsing
> > of base label
> > * src/qemu/qemu_process.c: Don't reset 'model' attribute if
> > a base label is specified
> > * src/security/security_apparmor.c: Refuse to support base label
> > * src/security/security_selinux.c: Use 'baselabel' when generating
> > label, if available
>
> The code looks okay, but this missed the RC1 freeze. Is this something
> we need in 0.9.3 for a bug-fix, or should it wait until after the
> release as a feature addition?
It isn't critical for 0.9.3, and I have more SELinux additions
pending, so I'll wait until after 0.9.3
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list