Re: [libvirt] None seclabel question
On Mon, Sep 03, 2012 at 12:57:50PM -0300, Marcelo Cerri wrote:
Hi,
I was discussing with Jiri Denemark about the current behavior of
none seclabels with multiple security drivers and I'd like to hear
more opinions about how this should work.
Currently, a none security label can be defined specifically to each
enabled security driver. For example, using a default configuration
(in which SELinux is enabled as default driver and DAC is enabled
due to privileged mode), a guest definition can contain the
following seclabel:
<seclabel type='none' model='selinux'/>
This will disable SELinux labeling and will keep labeling enabled
for any other security drivers (DAC in this case).
So, my question is: should none seclabels affect specific drivers
(as done now) or just one none seclabel should be accepted affecting
all security drivers in use?
No, as with your example above, the type=none is scoped to a specific
driver.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|