Re: [libvirt] PATCH: Mark <seclabel> as dynamic generated, or statically pre-defined

This patch implements the behaviour I was refering to earlier, whereby the domain XML explicitly says whether the security label is a statically pre-defined one, or dynamically generated on VM boot by libvirtd So when creating a new guest, apps like virt-install have 2 options: - Leave out the <seclabel> tag completely -> If no security driver is active, just works as normal unconfined VM -> If a security driver is active, a dynamic seclabel is generated <seclabel type='dynamic' model='selinux'> <label>system_u:system_r:qemu_t:s0:c424,c719</label> <imagelabel>system_u:object_r:virt_image_t:s0:c424,c719</imagelabel> </seclabel> - Add an explicit <seclabel> tag with type='static' attribute -> Security driver uses the defined label & imagelabel <seclabel type='static' model='selinux'> <label>system_u:system_r:qemu_t:s0:c25,c100</label> <imagelabel>system_u:system_r:virt_image_t:s0:c25,c100</imagelabel> </seclabel> A static seclabel is visible in the XML, at all times, whether the VM is active or inactive. A dynamic seclabel is only visible when the VM is running, since it is auto-generated at VM boot. If you migrate the VM, or save/restore it, the dynamic seclabel will change on each boot. The seclabel isn't visible when not running, or if asking for the inactive XML dump This patch implements parsing of the 'type' attribute, and makes the seclabel generation key off this attribute. It also adds the 'imagelabel' XML element, since that was being used internally, but was not including in the XML output, or parsing routines, making it impossible to specify a pre-defined image label or see the dyanmic one