[libvirt] [PATCH 3/3] Add documentation for the seclabel XML element

Eric Blake eblake at redhat.com
Mon Jun 27 16:19:37 UTC 2011 

On 06/27/2011 06:20 AM, Daniel P. Berrange wrote:
> The domain XML documentation is missing information about the
> <seclabel> element used by security drivers
> 
> * formatdomain.html.in: Document <seclabel>
> ---
>  docs/formatdomain.html.in |   76 +++++++++++++++++++++++++++++++++++++++++++++
>  1 files changed, 76 insertions(+), 0 deletions(-)

Oh, this covers part of my complaint in both 1/3 and 2/3.

If we decide to defer those patches until post-0.9.3, then there is
still a good chunk of this patch which should be applied now.

> 
> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> index 3a64983..c1ea480 100644
> --- a/docs/formatdomain.html.in
> +++ b/docs/formatdomain.html.in
> @@ -2614,6 +2614,82 @@ qemu-kvm -net nic,model=? /dev/null
>        </dd>
>      </dl>
>  
> +    <h3><a name="seclabel">Security label</a></h3>
> +
> +    <p>
> +      The <code>seclabel</code> element allows control over the
> +      operation of the security drivers. There are two basic
> +      modes of operation, dynamic where libvirt automatically
> +      generates a unique security label, or static where the
> +      application/administrator chooses the labels. With dynamic
> +      label generation, libvirt will always automatically
> +      relabel any resources associated with the virtual machine.
> +      With static label assignment, by default, the administrator
> +      or application must ensure labels are set correctly on any
> +      resources, however, automatic relabelling can be enabled

s/relabelling/relabeling/ if we are going to favor US spellings in
public-facing documentation

> +      if desired
> +    </p>
> +
> +    <p>
> +      Valid input XML configurations for the security label
> +      are:
> +    </p>
> +
> +    <pre>
> +  <seclabel type='dynamic' model='selinux'/>
> +
> +  <seclabel type='dynamic' model='selinux'>
> +    <baselabel>system_u:system_r:my_svirt_t:s0</baselabel>
> +  </seclabel>

For example, up to here is useful to be applied now...

> +
> +  <seclabel type='static' model='selinux' relabel='no'>
> +    <label>system_u:system_r:svirt_t:s0:c392,c662</label>
> +  </seclabel>

...while this depends on the rest of the series.

-- 
Eric Blake   eblake at redhat.com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 619 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110627/64f7161e/attachment-0001.sig>

More information about the libvir-list mailing list