Hi,
I was discussing with Jiri Denemark about the current behavior of none
seclabels with multiple security drivers and I'd like to hear more
opinions about how this should work.
Currently, a none security label can be defined specifically to each
enabled security driver. For example, using a default configuration (in
which SELinux is enabled as default driver and DAC is enabled due to
privileged mode), a guest definition can contain the following seclabel:
<seclabel type='none' model='selinux'/>
This will disable SELinux labeling and will keep labeling enabled for
any other security drivers (DAC in this case).
So, my question is: should none seclabels affect specific drivers (as
done now) or just one none seclabel should be accepted affecting all
security drivers in use?
Regards,
Marcelo