Re: [libvirt] [PATCH] dynamic_ownership documentation
On 03/04/2011 09:35 AM, Daniel P. Berrange wrote:
> +# A static assignment of SELinux labels imply that the
administrator
> +# manually configures the SELinux label of the virtual machine in
> +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example:
> +#
> +# <seclabel model='selinux' type="static">
> +# <label>system_u:system_r:qemu_t:s0:c210.c502</label>
> +# </seclabel>
> +# dynamic_ownership: 0 == static assignment of SELinux labels
> +# 1 == dynamic assignment of SELinux labels
> +dynamic_ownership=1
> +#
This is not what the dynamic_ownership parameter does - it actually
has nothing todo with SELinux / sVirt. This determines whether
libvirt will set the user/group DAC ownership on the disk images
to match the uid/gid the QEMU process runs under.
While Daniel's point is correct, that dynamic_ownership in the conf file
(affecting DAC) is different than dynamic SELinux labels in the XML
(affecting SELinux), it may still be worth updating the
dynamic_ownership documentation to mention how the XML can additionally
affects access.
Whether libvirt uses static or dynamic SELinux labels is entirely
controlled by the guest XML config. This is explained a little bit
in this webpage:
http://libvirt.org/drvqemu.html#securitysvirt
though you might wish to improve the wording a little more (the web
pages are stored in the docs/ directory of GIT.
Agreed that the web pages could also be improved.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 619 bytes)