-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/27/2011 08:20 AM, Daniel P. Berrange wrote:
This patch series adds two new features
- The ability to override 'system_u:system_r:svirt_t:s0' from /etc/selinux/targeted/contexts/virtual_domain_context using the guest XML - The ability to use dynamic relabelling of resources, in combo with static VM label assignment.
The latter is useful for management applications which want to be in full control of assigning VM labels (so that they can be unique across an entire cluster of hosts for example), while still benefiting from automatic relabelling of resources in the XML.
I think you might want to be a little more flexible with this. I see where you would want 4 ways of doing this. Dynamic with /etc/selinux/targeted/contexts/virtual_domain_context Dynamic with alternate TYPE, Meaning I could specify system_u:system_r:svirt_apache_t:s0 and then libvirt would select a MCS label for this context and launch system_u:system_r:svirt_apache_t:s0:c1,c257 Static with no relabel. Static with relabel. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk4JuxgACgkQrlYvE4MpobMIyACeMEHG5Iv2fP15pexyss34wsGF dGsAn1gKtRuMeuVKBdU4TJL6Ar1Kl1ZB =V6qL -----END PGP SIGNATURE-----