[libvirt] RFC: Limited dynamic ownership
mkletzan at redhat.com
Tue Aug 23 21:06:20 UTC 2016
so there was an idea about limiting the relabelling of images that
libvirt does. And I'm taking the liberty of pitching my idea how to
approach this. I feel like it's pretty simple thing and there's not
much to talk about, but a) I could've missed something and b) you might
hate the way I approach it.
The idea is to extend the seclabel XML, for example:
<seclabel type='dynamic' model='dac' relabel='whitelist'>
Either we allow 'relabel' to be set to 'whitelist' or add a new
attribute with a name like 'mode' or something, which will control how
we relabel the files (actually relabel='no' can mean 'whitelist' and
relabel='yes' can mean blacklist without adding anything there). After
that you can specify what paths are (dis)allowed to be labelled.
Actually thinking about it I like the following the most:
<seclabel type='dynamic' model='dac' relabel='no'>
which I believe is pretty explanatory. Feel free to ask if it's not.
And let me know what you think.
And have a nice day!!!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: Digital signature
More information about the libvir-list