[libvirt] None seclabel question

Daniel P. Berrange berrange at redhat.com
Tue Sep 4 10:14:35 UTC 2012 

On Tue, Sep 04, 2012 at 12:00:33PM +0200, Jiri Denemark wrote:
> On Tue, Sep 04, 2012 at 10:31:54 +0100, Daniel P. Berrange wrote:
> > On Tue, Sep 04, 2012 at 11:28:19AM +0200, Jiri Denemark wrote:
> > > On Tue, Sep 04, 2012 at 10:22:56 +0100, Daniel P. Berrange wrote:
> > > > On Mon, Sep 03, 2012 at 12:57:50PM -0300, Marcelo Cerri wrote:
> > > > > 
> > > > > So, my question is: should none seclabels affect specific drivers
> > > > > (as done now) or just one none seclabel should be accepted affecting
> > > > > all security drivers in use?
> > > > 
> > > > No, as with your example above, the type=none is scoped to a specific
> > > > driver.
> > > 
> > > And what happens if you have older libvirt and a domain configured with
> > > <seclabel type='none'/> and upgrade libvirt to the state when it actually
> > > enables more than one security driver at a time. Shouldn't such generic
> > > <seclabel type='none'/> actually turn off any labeling, that is, affect all
> > > the enabled drivers?
> > 
> > IMHO with the old libvirt, if no model=XXXX was set, this was implicitly
> > refering to the current model.
> 
> Yes, but there was just one model, thus it trivially affected all enabled
> models. Also its semantics can be understood as "do no labeling no matter what
> security model is used". I'm mainly concerned about libvirt upgrades while
> domains with <seclabel type='none'/> are running.

I don't think that description of existing behaviour is accurate. With old
libvirt you have one <seclabel> (for SELinux/AppArmour), but secretly there
are 2 security drivers (SELinux/AppArmour + DAC). Setting type=none for
the seclabel only meant that the SELinux/AppArmour drivers ran the guest
unconfined. The second (DAC) driver would still be applied to the guest
making it run unprivileged/confined.

What actual problem have you seen with upgrades ?

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list