Re: [libvirt] I have been looking over James Morris patches for svirt.
On Fri, Feb 06, 2009 at 12:55:29PM -0500, Daniel J Walsh wrote:
What is the process to get them into libvirt?
I've reviewed all the submissions James has posted for comments so
far, and am pretty happy with the way it now integrates with libvirt.
If yourself & James are happy with what they're doing from a SELinux /
security model point of view, then there's no reason they shouldn't
be posted for final merge now.
I have begun to look at the second componant of the libvirt change.
James patch, allows libvirt to read the SELinux context out of the xml
database and execute qemu with the context. The second componant is to
pass the context of the image(s) and allow libvirt to not only set the
image, but also update the default labels on disk, so a relabel will not
change the context.
I have some patches to do this, but want to make sure the original
patches are acceptable?
The latest patches I've seen from James were fine by me. If you've
got proof of concept for the disk label stuff, then by all means
post it now for early review, even if its not developed far enough
for use yet.
The last changes and perhaps the most difficult is figuring out how
to
get the labels into the XML database in the first place.
I guess virt_manager will somehow figure out what the labels should be
and assign them.
How to tell virt-manager what the available / acceptable labels are is
an interesting problem I don't think we've considered yet. We could
provide metadata in the host capabilities XML format (virsh capabilities)
Or add a new security capabilities XML doc with info. Or as a first
cut just hardcode them in virt-manager, and assume everyone's using
the SELINux reference policy to start with, and consider customization
as a v2 thing.
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|