On Mon, Sep 03, 2012 at 12:57:50PM -0300, Marcelo Cerri wrote:
Hi,
I was discussing with Jiri Denemark about the current behavior of none seclabels with multiple security drivers and I'd like to hear more opinions about how this should work.
Currently, a none security label can be defined specifically to each enabled security driver. For example, using a default configuration (in which SELinux is enabled as default driver and DAC is enabled due to privileged mode), a guest definition can contain the following seclabel:
<seclabel type='none' model='selinux'/>
This will disable SELinux labeling and will keep labeling enabled for any other security drivers (DAC in this case).
So, my question is: should none seclabels affect specific drivers (as done now) or just one none seclabel should be accepted affecting all security drivers in use?
No, as with your example above, the type=none is scoped to a specific driver. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|