[libvirt] None seclabel question

Daniel P. Berrange berrange at redhat.com
Tue Sep 4 09:31:54 UTC 2012


On Tue, Sep 04, 2012 at 11:28:19AM +0200, Jiri Denemark wrote:
> On Tue, Sep 04, 2012 at 10:22:56 +0100, Daniel P. Berrange wrote:
> > On Mon, Sep 03, 2012 at 12:57:50PM -0300, Marcelo Cerri wrote:
> > > Hi,
> > > 
> > > I was discussing with Jiri Denemark about the current behavior of
> > > none seclabels with multiple security drivers and I'd like to hear
> > > more opinions about how this should work.
> > > 
> > > Currently, a none security label can be defined specifically to each
> > > enabled security driver. For example, using a default configuration
> > > (in which SELinux is enabled as default driver and DAC is enabled
> > > due to privileged mode), a guest definition can contain the
> > > following seclabel:
> > > 
> > >     <seclabel type='none' model='selinux'/>
> > > 
> > > This will disable SELinux labeling and will keep labeling enabled
> > > for any other security drivers (DAC in this case).
> > > 
> > > So, my question is: should none seclabels affect specific drivers
> > > (as done now) or just one none seclabel should be accepted affecting
> > > all security drivers in use?
> > 
> > No, as with your example above, the type=none is scoped to a specific
> > driver.
> 
> And what happens if you have older libvirt and a domain configured with
> <seclabel type='none'/> and upgrade libvirt to the state when it actually
> enables more than one security driver at a time. Shouldn't such generic
> <seclabel type='none'/> actually turn off any labeling, that is, affect all
> the enabled drivers?

IMHO with the old libvirt, if no model=XXXX was set, this was implicitly
refering to the current model.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list