[libvirt] [PATCH] dynamic_ownership documentation
Daniel P. Berrange
berrange at redhat.com
Wed Mar 9 11:45:18 UTC 2011
On Wed, Mar 09, 2011 at 11:38:23AM +0100, Stephan Mueller wrote:
> Am Freitag, 4. März 2011, um 17:35:03 schrieb Daniel P. Berrange:
> > > +# A static assignment of SELinux labels imply that the administrator
> > > +# manually configures the SELinux label of the virtual machine in
> > > +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example:
> > > +#
> > > +# <seclabel model='selinux' type="static">
> > > +# <label>system_u:system_r:qemu_t:s0:c210.c502</label>
> > > +# </seclabel>
> > > +#
> > > +# The <label> tag specifies a full SELinux label the virtual machine
> > > +# will be executed with.
> > > +#
> > > +# In addition to the setting of the SELinux label of the virtual
> > > +# machine, the administrator must manually set the SELinux label
> > > +# of all resources the virtual machine accesses appropriately.
> > > +#
> > > +# NOTE: The dynamic assignment of categories is only intended for
> > > +# systems with the targeted SELinux policy. Systems with the MLS
> > > +# SELinux policy MUST use the static assignment of labels.
> > > +# It is possible that static assignment is configured for
> > > +# systems with the targeted policy as well.
> > > +#
> > > +# dynamic_ownership: 0 == static assignment of SELinux labels
> > > +# 1 == dynamic assignment of SELinux labels
> > > +dynamic_ownership=1
> > > +#
> >
> > This is not what the dynamic_ownership parameter does - it actually
> > has nothing todo with SELinux / sVirt. This determines whether
> > libvirt will set the user/group DAC ownership on the disk images
> > to match the uid/gid the QEMU process runs under.
> >
> I see. Thanks for the clarification.
>
> > Whether libvirt uses static or dynamic SELinux labels is entirely
> > controlled by the guest XML config. This is explained a little bit
> > in this webpage:
> >
> > http://libvirt.org/drvqemu.html#securitysvirt
> >
> > though you might wish to improve the wording a little more (the web
> > pages are stored in the docs/ directory of GIT.
>
> This statement there is not fully clear. Can you please briefly state how do
> you switch between dynamic and static labeling.
As you sort of mentioned above, when defining a new guest XML, if
you don't include any <seclabel> element in the XML, then the VM
uses dynamic labelling. Also if you have <seclabel type='dynamic'/>
then it'll do dynamic labelling. Only if you explicitly include
the full XML like
<seclabel model='selinux' type="static">
<label>system_u:system_r:qemu_t:s0:c210.c502</label>
</seclabel>
will static labelling be used.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list