Re: [libvirt] [PATCH 0/3] Improve flexibility of SELinux labelling
On Tue, Jun 28, 2011 at 07:29:28AM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/27/2011 08:20 AM, Daniel P. Berrange wrote:
> This patch series adds two new features
>
> - The ability to override 'system_u:system_r:svirt_t:s0' from
> /etc/selinux/targeted/contexts/virtual_domain_context using
> the guest XML
> - The ability to use dynamic relabelling of resources, in combo
> with static VM label assignment.
>
> The latter is useful for management applications which want to
> be in full control of assigning VM labels (so that they can be
> unique across an entire cluster of hosts for example), while
> still benefiting from automatic relabelling of resources in the
> XML.
>
I think you might want to be a little more flexible with this. I see
where you would want 4 ways of doing this.
We already do options 1 and 3. These two patches I post let us also
support options 2 and 4, so I think we're sorted.
Dynamic with /etc/selinux/targeted/contexts/virtual_domain_context
<seclabel type='dynamic'/>
Dynamic with alternate TYPE, Meaning I could specify
system_u:system_r:svirt_apache_t:s0 and then libvirt would select a MCS
label for this context and launch
system_u:system_r:svirt_apache_t:s0:c1,c257
<seclabel type='dynamic'>
<baselabel>system_u:system_r:svirt_apache_t:s0</baselabel>
</seclabel>
Static with no relabel.
<seclabel type='static' relabel='no'>
<label>system_u:system_r:svirt_apache_t:s0:c1,c257</label>
</seclabel>
Static with relabel.
<seclabel type='static' relabel='yes'>
<label>system_u:system_r:svirt_apache_t:s0:c1,c257</label>
</seclabel>
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|