Re: [libvirt] None seclabel question

On Mon, Sep 03, 2012 at 12:57:50PM -0300, Marcelo Cerri wrote: > Hi, > > I was discussing with Jiri Denemark about the current behavior of > none seclabels with multiple security drivers and I'd like to hear > more opinions about how this should work. > > Currently, a none security label can be defined specifically to each > enabled security driver. For example, using a default configuration > (in which SELinux is enabled as default driver and DAC is enabled > due to privileged mode), a guest definition can contain the > following seclabel: > > <seclabel type='none' model='selinux'/> > > This will disable SELinux labeling and will keep labeling enabled > for any other security drivers (DAC in this case). > > So, my question is: should none seclabels affect specific drivers > (as done now) or just one none seclabel should be accepted affecting > all security drivers in use? No, as with your example above, the type=none is scoped to a specific driver.