On Tue, Sep 04, 2012 at 12:00:33PM +0200, Jiri Denemark wrote:
On Tue, Sep 04, 2012 at 10:31:54 +0100, Daniel P. Berrange wrote:
> On Tue, Sep 04, 2012 at 11:28:19AM +0200, Jiri Denemark wrote:
> > On Tue, Sep 04, 2012 at 10:22:56 +0100, Daniel P. Berrange wrote:
> > > On Mon, Sep 03, 2012 at 12:57:50PM -0300, Marcelo Cerri wrote:
> > > >
> > > > So, my question is: should none seclabels affect specific drivers
> > > > (as done now) or just one none seclabel should be accepted affecting
> > > > all security drivers in use?
> > >
> > > No, as with your example above, the type=none is scoped to a specific
> > > driver.
> >
> > And what happens if you have older libvirt and a domain configured with
> > <seclabel type='none'/> and upgrade libvirt to the state when it
actually
> > enables more than one security driver at a time. Shouldn't such generic
> > <seclabel type='none'/> actually turn off any labeling, that is,
affect all
> > the enabled drivers?
>
> IMHO with the old libvirt, if no model=XXXX was set, this was implicitly
> refering to the current model.
Yes, but there was just one model, thus it trivially affected all enabled
models. Also its semantics can be understood as "do no labeling no matter what
security model is used". I'm mainly concerned about libvirt upgrades while
domains with <seclabel type='none'/> are running.
I don't think that description of existing behaviour is accurate. With old
libvirt you have one <seclabel> (for SELinux/AppArmour), but secretly there
are 2 security drivers (SELinux/AppArmour + DAC). Setting type=none for
the seclabel only meant that the SELinux/AppArmour drivers ran the guest
unconfined. The second (DAC) driver would still be applied to the guest
making it run unprivileged/confined.
What actual problem have you seen with upgrades ?
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|