6:47 p.m.
When doing security relabeling, there are cases where a per-file
override might be appropriate. For example, with a static label
and relabeling, it might be appropriate to skip relabeling on a
particular disk, where the backing file lives on NFS that lacks
the ability to track labeling. Or with dynamic labeling, it might
be appropriate to use a custom (non-dynamic) label for a disk
specifically intended to be shared across domains.
The new XML resembles the top-level <seclabel>, but with fewer
options (basically relabel='no', or <label>text</label>):
<domain ...>
...
<devices>
<disk type='file' device='disk'>
<source file='/path/to/image1'>
<seclabel relabel='no'/> <!-- override for just this disk -->
</source>
...
</disk>
<disk type='file' device='disk'>
<source file='/path/to/image1'>
<seclabel relabel='yes'> <!-- override for just this disk -->
<label>system_u:object_r:shared_content_t:s0</label>
</seclabel>
</source>
...
</disk>
...
</devices>
<seclabel type='dynamic' model='selinux'>
<baselabel>text</baselabel> <!-- used for all devices without override
-->
</seclabel>
</domain>
This patch only introduces the XML and documentation; future patches
will actually parse and make use of it. The intent is that we can
further extend things as needed, adding a per-device <seclabel> in
more places (such as the source of a console device), and possibly
allowing a <baselabel> instead of <label> for labeling where we want
to reuse the cNNN,cNNN pair of a dynamically labeled domain but a
different base label.
First suggested by Daniel P. Berrange here:
https://www.redhat.com/archives/libvir-list/2011-December/msg00258.html
* docs/schemas/domaincommon.rng (devSeclabel): New define.
(disk): Use it.
* docs/formatdomain.html.in (elementsDisks, seclabel): Document
the new XML.
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml:
New test, to validate RNG.
---
docs/formatdomain.html.in | 29 ++++++++++++--
docs/schemas/domaincommon.rng | 29 +++++++++++++-
.../qemuxml2argv-seclabel-dynamic-override.xml | 40 ++++++++++++++++++++
3 files changed, 91 insertions(+), 7 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 06181b1..d468299 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -947,7 +947,9 @@
<devices>
<disk type='file' snapshot='external'>
<driver name="tap" type="aio"
cache="default"/>
- <source file='/var/lib/xen/images/fv0'/
startupPolicy='optional'/>
+ <source file='/var/lib/xen/images/fv0'/
startupPolicy='optional'>
+ <seclabel relabel='no'/>
+ </source>
<target dev='hda' bus='ide'/>
<iotune>
<total_bytes_sec>10000000</total_bytes_sec>
@@ -1023,7 +1025,11 @@
path to the file holding the disk. If the disk
<code>type</code> is "block", then the
<code>dev</code>
attribute specifies the path to the host device to serve as
- the disk. If the disk <code>type</code> is "dir", then the
+ the disk. With both "file" and "block", an optional
+ sub-element <code>seclabel</code>, <a
href="#seclabel">described
+ below</a> (and <span class="since">since
0.9.9</span>), can be
+ used to override the domain security labeling policy for just
+ that source file. If the disk <code>type</code> is "dir",
then the
<code>dir</code> attribute specifies the fully-qualified path
to the directory to use as the disk. If the disk <code>type</code>
is "network", then the <code>protocol</code> attribute
specifies
@@ -1031,7 +1037,7 @@
are "nbd", "rbd", and "sheepdog". If the
<code>protocol</code>
attribute is "rbd" or "sheepdog", an additional
attribute <code>name</code> is mandatory to specify which
- image to be used. When the disk <code>type</code> is
+ image will be used. When the disk <code>type</code> is
"network", the <code>source</code> may have zero or
more <code>host</code> sub-elements used to specify the hosts
to connect.
@@ -3372,11 +3378,11 @@ qemu-kvm -net nic,model=? /dev/null
With static label assignment, by default, the administrator
or application must ensure labels are set correctly on any
resources, however, automatic relabeling can be enabled
- if desired
+ if desired.
</p>
<p>
- Valid input XML configurations for the security label
+ Valid input XML configurations for the top-level security label
are:
</p>
@@ -3435,6 +3441,19 @@ qemu-kvm -net nic,model=? /dev/null
</dd>
</dl>
+ <p>When relabeling is in effect, it is also possible to fine-tune
+ the labeling done for specific source file names, by either
+ disabling the labeling (useful if the file lives on NFS or other
+ file system that lacks security labeling) or requesting an
+ alternate label (useful when a management application creates a
+ special label to allow sharing of some, but not all, resources
+ between domains), <span class="since">since 0.9.9</span>.
When
+ a <code>seclabel</code> element is attached to a specific path
+ rather than the top-level domain assignment, only the
+ attribute <code>relabel</code> or the
+ sub-element <code>label</code> are supported.
+ </p>
+
<h2><a name="examples">Example configs</a></h2>
<p>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index dd76f91..7a8f7f4 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -116,6 +116,27 @@
</choice>
</element>
</define>
+ <define name="devSeclabel">
+ <element name="seclabel">
+ <!-- A per-device seclabel override is more limited, either
+ relabel=no or a <label> must be present. -->
+ <choice>
+ <attribute name='relabel'>
+ <value>no</value>
+ </attribute>
+ <group>
+ <optional>
+ <attribute name='relabel'>
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <element name='label'>
+ <text/>
+ </element>
+ </group>
+ </choice>
+ </element>
+ </define>
<define name="hvs">
<attribute name="type">
<choice>
@@ -795,7 +816,9 @@
<optional>
<ref name="startupPolicy"/>
</optional>
- <empty/>
+ <optional>
+ <ref name='devSeclabel'/>
+ </optional>
</element>
</optional>
<ref name="diskspec"/>
@@ -811,7 +834,9 @@
<attribute name="dev">
<ref name="absFilePath"/>
</attribute>
- <empty/>
+ <optional>
+ <ref name='devSeclabel'/>
+ </optional>
</element>
</optional>
<ref name="diskspec"/>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml
new file mode 100644
index 0000000..19b1cbb
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml
@@ -0,0 +1,40 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory>219100</memory>
+ <currentMemory>219100</currentMemory>
+ <vcpu cpuset='1-4,8-20,525'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu</emulator>
+ <disk type='block' device='disk'>
+ <source dev='/dev/HostVG/QEMUGuest1'>
+ <seclabel relabel='no'/>
+ </source>
+ <target dev='hda' bus='ide'/>
+ <address type='drive' controller='0' bus='0'
unit='0'/>
+ </disk>
+ <disk type='block' device='disk'>
+ <source dev='/dev/HostVG/QEMUGuest2'>
+ <seclabel relabel='yes'>
+ <label>system_u:system_r:public_content_t:s0</label>
+ </seclabel>
+ </source>
+ <target dev='hdb' bus='ide'/>
+ <readonly/>
+ <address type='drive' controller='0' bus='0'
unit='0'/>
+ </disk>
+ <controller type='ide' index='0'/>
+ <memballoon model='virtio'/>
+ </devices>
+ <seclabel type='dynamic' model='selinux' relabel='yes'>
+ <baselabel>system_u:system_r:svirt_custom_t:s0</baselabel>
+ </seclabel>
+</domain>
--
1.7.7.4