[libvirt] [PATCH 3/3] Add documentation for the seclabel XML element
The domain XML documentation is missing information about the
<seclabel> element used by security drivers
* formatdomain.html.in: Document <seclabel>
---
docs/formatdomain.html.in | 76 +++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 76 insertions(+), 0 deletions(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 3a64983..c1ea480 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -2614,6 +2614,82 @@ qemu-kvm -net nic,model=? /dev/null
</dd>
</dl>
+ <h3><a name="seclabel">Security label</a></h3>
+
+ <p>
+ The <code>seclabel</code> element allows control over the
+ operation of the security drivers. There are two basic
+ modes of operation, dynamic where libvirt automatically
+ generates a unique security label, or static where the
+ application/administrator chooses the labels. With dynamic
+ label generation, libvirt will always automatically
+ relabel any resources associated with the virtual machine.
+ With static label assignment, by default, the administrator
+ or application must ensure labels are set correctly on any
+ resources, however, automatic relabelling can be enabled
+ if desired
+ </p>
+
+ <p>
+ Valid input XML configurations for the security label
+ are:
+ </p>
+
+ <pre>
+ <seclabel type='dynamic' model='selinux'/>
+
+ <seclabel type='dynamic' model='selinux'>
+ <baselabel>system_u:system_r:my_svirt_t:s0</baselabel>
+ </seclabel>
+
+ <seclabel type='static' model='selinux'
relabel='no'>
+ <label>system_u:system_r:svirt_t:s0:c392,c662</label>
+ </seclabel>
+
+ <seclabel type='static' model='selinux'
relabel='yes'>
+ <label>system_u:system_r:svirt_t:s0:c392,c662</label>
+ </seclabel>
+ </pre>
+
+ <p>
+ When viewing the XML for a running guest with automatic
+ resource relabelling active, an additional XML element,
+ <code>imagelabel</code>, will be included. This is an
+ output-only element, so will be ignored in user supplied
+ XML documents
+ </p>
+ <dl>
+ <dt><code>type</code></dt>
+ <dd>Either <code>static</code> or
<code>dynamic</code> to determine
+ whether libvirt automatically generates a unique security label
+ or not.
+ </dd>
+ <dt><code>model</code></dt>
+ <dd>A valid security model name, matching the currently
+ activated security model
+ </dd>
+ <dt><code>relabel</code></dt>
+ <dd>Either <code>yes</code> or <code>no</code>. This
must always
+ be <code>yes</code> if dynamic label assignment is used. With
+ static label assignment it will default to <code>no</code>.
+ </dd>
+ <dt><code>label</code></dt>
+ <dd>If static labelling is used, this must specify the full
+ security label to assign to the virtual domain. The format
+ of the content depends on the security driver in use
+ </dd>
+ <dt><code>baselabel</code></dt>
+ <dd>If dynamic labelling is used, this can optionally be
+ used to specify the base security label. The format
+ of the content depends on the security driver in use
+ </dd>
+ <dt><code>imagelabel</code></dt>
+ <dd>This is an output only element, which shows the
+ security label used on resources associated with the virtual domain.
+ The format of the content depends on the security driver in use
+ </dd>
+ </dl>
+
<h2><a name="examples">Example configs</a></h2>
<p>
--
1.7.4.4