Re: [libvirt] [PATCH] dynamic_ownership documentation

Am Freitag, 4. März 2011, um 17:35:03 schrieb Daniel P. Berrange: > > +# A static assignment of SELinux labels imply that the administrator > > +# manually configures the SELinux label of the virtual machine in > > +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example: > > +# > > +# <seclabel model='selinux' type="static"> > > +# <label>system_u:system_r:qemu_t:s0:c210.c502</label> > > +# </seclabel> > > +# > > +# The <label> tag specifies a full SELinux label the virtual machine > > +# will be executed with. > > +# > > +# In addition to the setting of the SELinux label of the virtual > > +# machine, the administrator must manually set the SELinux label > > +# of all resources the virtual machine accesses appropriately. > > +# > > +# NOTE: The dynamic assignment of categories is only intended for > > +# systems with the targeted SELinux policy. Systems with the MLS > > +# SELinux policy MUST use the static assignment of labels. > > +# It is possible that static assignment is configured for > > +# systems with the targeted policy as well. > > +# > > +# dynamic_ownership: 0 == static assignment of SELinux labels > > +# 1 == dynamic assignment of SELinux labels > > +dynamic_ownership=1 > > +# > > This is not what the dynamic_ownership parameter does - it actually > has nothing todo with SELinux / sVirt. This determines whether > libvirt will set the user/group DAC ownership on the disk images > to match the uid/gid the QEMU process runs under. > I see. Thanks for the clarification. > Whether libvirt uses static or dynamic SELinux labels is entirely > controlled by the guest XML config. This is explained a little bit > in this webpage: > > http://libvirt.org/drvqemu.html#securitysvirt > > though you might wish to improve the wording a little more (the web > pages are stored in the docs/ directory of GIT. This statement there is not fully clear. Can you please briefly state how do you switch between dynamic and static labeling.