On 03/04/2011 09:35 AM, Daniel P. Berrange wrote:
+# A static assignment of SELinux labels imply that the administrator +# manually configures the SELinux label of the virtual machine in +# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example: +# +# <seclabel model='selinux' type="static"> +# <label>system_u:system_r:qemu_t:s0:c210.c502</label> +# </seclabel>
+# dynamic_ownership: 0 == static assignment of SELinux labels +# 1 == dynamic assignment of SELinux labels +dynamic_ownership=1 +#
This is not what the dynamic_ownership parameter does - it actually has nothing todo with SELinux / sVirt. This determines whether libvirt will set the user/group DAC ownership on the disk images to match the uid/gid the QEMU process runs under.
While Daniel's point is correct, that dynamic_ownership in the conf file (affecting DAC) is different than dynamic SELinux labels in the XML (affecting SELinux), it may still be worth updating the dynamic_ownership documentation to mention how the XML can additionally affects access.
Whether libvirt uses static or dynamic SELinux labels is entirely controlled by the guest XML config. This is explained a little bit in this webpage:
http://libvirt.org/drvqemu.html#securitysvirt
though you might wish to improve the wording a little more (the web pages are stored in the docs/ directory of GIT.
Agreed that the web pages could also be improved. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org