On Fri, Aug 29, 2008 at 08:46:35AM +0200, Daniel Veillard wrote:
On Fri, Aug 29, 2008 at 06:00:36AM +0100, Daniel P. Berrange wrote:
On Fri, Aug 29, 2008 at 01:32:27PM +1000, James Morris wrote:
I'd suggest we implement a new label element to avoid breaking compatibility and to avoid potential confusion with other types of device labels (e.g. as you might see via /dev/disk/by-label).
So, how about the following:
<seclabel>
<model>
<!-- model-specific elements in here, to be handled by named security driver, in this case "selinux" --> <selinux> <type>targeted</type> </selinux>
I'd rather not have security model specific XML element names if practical. We've tried to keep to a naming that is conceptually generic, even if it only has 1 implementation.
right in general we have been using element names for specifying the concepts and attributes values to explain the specifics.
</model>
<value>system_u:object_r:virt_image_t:s0</value>
Since the interpretation of the 'value' element's contents depends on the type of security model, I think the type is better designated on the parent 'seclabel' element.
</seclabel>
Would this be sufficient...
<seclabel model='selinux'> <policy>targeted</policy> <value>system_u:object_r:virt_image_t:s0</value> </seclabel>
that looks more homogeneous. i don't know hos that would map to other security models, examples would be great
I've just had a read of the Xen user guide on their ACM security module http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf It kicks off around page 55 In that example a domain is labeled along the lines of 'ACM:mytest:A-Bank' where 'ACM' is the security model, 'mytest' is the policy name, and 'A-Bank' is the seclabel value. Disk files have the same breakdown. This would map quite easily to <seclabel model='acm'> <policy>mytest</policy> <value>A-Bank</value> </seclabel> Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|