Re: [libvirt] [PATCH] Fix configuration of QEMU security drivers

On 08/29/2012 05:37 PM, Daniel P. Berrange wrote: > From: "Daniel P. Berrange" <berrange(a)redhat.com&gt; > > If no 'security_driver' config option was set, then the code > just loaded the 'dac' security driver. This is a regression > on previous behaviour, where we would probe for a possible > security driver. ie default to SELinux if available. > > This changes things so that it 'security_driver' is not set, > we once again do probing. For simplicity we also always > create the stack driver, even if there is only one driver > active. > > The desired semantics are: > > - security_driver not set > -> probe for selinux/apparmour/nop > -> auto-add DAC driver > - security_driver set to a string > -> add that one driver > -> auto-add DAC driver > - security_driver set to a list > -> add all drivers in list > -> auto-add DAC driver > > It is not allowed, or possible to specify 'dac' in the > security_driver config param, since that is always > enabled. That's true when dynamic_ownership is 1. But what happens if dynamic_ownership is 0 (defaults to off for all guests), but for one particular guest, I want to override that default and explicitly enable dac for that guest?