[libvirt] RFC: Limited dynamic ownership

Hi everyone, so there was an idea about limiting the relabelling of images that libvirt does. And I'm taking the liberty of pitching my idea how to approach this. I feel like it's pretty simple thing and there's not much to talk about, but a) I could've missed something and b) you might hate the way I approach it. The idea is to extend the seclabel XML, for example: <seclabel type='dynamic' model='dac' relabel='whitelist'> <path>/var/lib/libvirt/images</path> <path>/data/virt-stuff</path> </seclabel> Either we allow 'relabel' to be set to 'whitelist' or add a new attribute with a name like 'mode' or something, which will control how we relabel the files (actually relabel='no' can mean 'whitelist' and relabel='yes' can mean blacklist without adding anything there). After that you can specify what paths are (dis)allowed to be labelled. Actually thinking about it I like the following the most: <seclabel type='dynamic' model='dac' relabel='no'> <whitelist path='/data'/> <blacklist path='/data/private/non-virt/stuff'/> </seclabel> which I believe is pretty explanatory. Feel free to ask if it's not. And let me know what you think. And have a nice day!!! Martin