On Tue, Jun 28, 2011 at 07:29:28AM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/27/2011 08:20 AM, Daniel P. Berrange wrote:
This patch series adds two new features
- The ability to override 'system_u:system_r:svirt_t:s0' from /etc/selinux/targeted/contexts/virtual_domain_context using the guest XML - The ability to use dynamic relabelling of resources, in combo with static VM label assignment.
The latter is useful for management applications which want to be in full control of assigning VM labels (so that they can be unique across an entire cluster of hosts for example), while still benefiting from automatic relabelling of resources in the XML.
I think you might want to be a little more flexible with this. I see where you would want 4 ways of doing this.
We already do options 1 and 3. These two patches I post let us also support options 2 and 4, so I think we're sorted.
Dynamic with /etc/selinux/targeted/contexts/virtual_domain_context
<seclabel type='dynamic'/>
Dynamic with alternate TYPE, Meaning I could specify system_u:system_r:svirt_apache_t:s0 and then libvirt would select a MCS label for this context and launch system_u:system_r:svirt_apache_t:s0:c1,c257
<seclabel type='dynamic'> <baselabel>system_u:system_r:svirt_apache_t:s0</baselabel> </seclabel>
Static with no relabel.
<seclabel type='static' relabel='no'> <label>system_u:system_r:svirt_apache_t:s0:c1,c257</label> </seclabel>
Static with relabel.
<seclabel type='static' relabel='yes'> <label>system_u:system_r:svirt_apache_t:s0:c1,c257</label> </seclabel> Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|