Re: [libvirt] [PATCH 0/3] caps: expose the user and group owner of the HV
On Tue, Aug 27, 2013 at 02:00:03AM +0200, Giuseppe Scrivano wrote:
virt-manager has no way to known the user/group that run the HV
process without requiring the user to manually set it trough setup.py
or assuming "root" as default value.
This series extends the Guest capabilities with "hv_user" and
"hv_group", to inform the libvirt user about the user/group (when qemu
is used) that run the HV process.
This is not a suitably generic approach.
The 'user' and 'group' associated with QEMU are default settings used
by the DAC security driver if the user does not specify the user and
group themselves in the <seclabel> XML.
Similarly with the SELinux security driver there is a default label
used (svirt_t), if the user does not specify the label themselves.
So to expose anything in the XML we should be providing a way to
describe the default label for any security driver.
Also there can actually be multiple default security labels depending
on the virt type usd (kvm vs tcg)
eg where the capabilities has
<secmodel>
<model>selinux</model>
<doi>0</doi>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
</secmodel>
We should look at extending it to be something like
<secmodel>
<model>selinux</model>
<doi>0</doi>
<baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
<baselabel
type='qemu'>system_u:system_r:svirt_tcg_t:s0</baselabel>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>107:107</baselabel>
<baselabel type='qemu'>107:107</baselabel>
</secmodel>
NB, I used 'baselabel' to mirror the same 'baselabel' naming used in
the domain XML <seclabel> element.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|