[libvirt] Re: XML representation of security labels

On Fri, Aug 29, 2008 at 06:00:36AM +0100, Daniel P. Berrange wrote: > On Fri, Aug 29, 2008 at 01:32:27PM +1000, James Morris wrote: > > I'd suggest we implement a new label element to avoid breaking > > compatibility and to avoid potential confusion with other types of device > > labels (e.g. as you might see via /dev/disk/by-label). > > > > So, how about the following: > > > > <seclabel> > > > > <model> > > > > <!-- model-specific elements in here, to be handled by > > named security driver, in this case "selinux" --> > > <selinux> > > <type>targeted</type> > > </selinux> > > I'd rather not have security model specific XML element names if > practical. We've tried to keep to a naming that is conceptually > generic, even if it only has 1 implementation. right in general we have been using element names for specifying the concepts and attributes values to explain the specifics. > > > </model> > > > > <value>system_u:object_r:virt_image_t:s0</value> > > Since the interpretation of the 'value' element's contents > depends on the type of security model, I think the type > is better designated on the parent 'seclabel' element. > > > > > </seclabel> > > Would this be sufficient... > > <seclabel model='selinux'> > <policy>targeted</policy> > <value>system_u:object_r:virt_image_t:s0</value> > </seclabel> that looks more homogeneous. i don't know hos that would map to other security models, examples would be great