[libvirt] [PATCH 3/3] Add documentation for the seclabel XML element
Eric Blake
eblake at redhat.com
Mon Jun 27 16:19:37 UTC 2011
On 06/27/2011 06:20 AM, Daniel P. Berrange wrote:
> The domain XML documentation is missing information about the
> <seclabel> element used by security drivers
>
> * formatdomain.html.in: Document <seclabel>
> ---
> docs/formatdomain.html.in | 76 +++++++++++++++++++++++++++++++++++++++++++++
> 1 files changed, 76 insertions(+), 0 deletions(-)
Oh, this covers part of my complaint in both 1/3 and 2/3.
If we decide to defer those patches until post-0.9.3, then there is
still a good chunk of this patch which should be applied now.
>
> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> index 3a64983..c1ea480 100644
> --- a/docs/formatdomain.html.in
> +++ b/docs/formatdomain.html.in
> @@ -2614,6 +2614,82 @@ qemu-kvm -net nic,model=? /dev/null
> </dd>
> </dl>
>
> + <h3><a name="seclabel">Security label</a></h3>
> +
> + <p>
> + The <code>seclabel</code> element allows control over the
> + operation of the security drivers. There are two basic
> + modes of operation, dynamic where libvirt automatically
> + generates a unique security label, or static where the
> + application/administrator chooses the labels. With dynamic
> + label generation, libvirt will always automatically
> + relabel any resources associated with the virtual machine.
> + With static label assignment, by default, the administrator
> + or application must ensure labels are set correctly on any
> + resources, however, automatic relabelling can be enabled
s/relabelling/relabeling/ if we are going to favor US spellings in
public-facing documentation
> + if desired
> + </p>
> +
> + <p>
> + Valid input XML configurations for the security label
> + are:
> + </p>
> +
> + <pre>
> + <seclabel type='dynamic' model='selinux'/>
> +
> + <seclabel type='dynamic' model='selinux'>
> + <baselabel>system_u:system_r:my_svirt_t:s0</baselabel>
> + </seclabel>
For example, up to here is useful to be applied now...
> +
> + <seclabel type='static' model='selinux' relabel='no'>
> + <label>system_u:system_r:svirt_t:s0:c392,c662</label>
> + </seclabel>
...while this depends on the rest of the series.
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 619 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110627/64f7161e/attachment-0001.sig>
More information about the libvir-list
mailing list