Re: [libvirt] [PATCH 0/3] Improve flexibility of SELinux labelling
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/27/2011 08:20 AM, Daniel P. Berrange wrote:
This patch series adds two new features
- The ability to override 'system_u:system_r:svirt_t:s0' from
/etc/selinux/targeted/contexts/virtual_domain_context using
the guest XML
- The ability to use dynamic relabelling of resources, in combo
with static VM label assignment.
The latter is useful for management applications which want to
be in full control of assigning VM labels (so that they can be
unique across an entire cluster of hosts for example), while
still benefiting from automatic relabelling of resources in the
XML.
I think you might want to be a little more flexible with this. I see
where you would want 4 ways of doing this.
Dynamic with /etc/selinux/targeted/contexts/virtual_domain_context
Dynamic with alternate TYPE, Meaning I could specify
system_u:system_r:svirt_apache_t:s0 and then libvirt would select a MCS
label for this context and launch
system_u:system_r:svirt_apache_t:s0:c1,c257
Static with no relabel.
Static with relabel.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk4JuxgACgkQrlYvE4MpobMIyACeMEHG5Iv2fP15pexyss34wsGF
dGsAn1gKtRuMeuVKBdU4TJL6Ar1Kl1ZB
=V6qL
-----END PGP SIGNATURE-----