[libvirt] Re: Patch to python-virtinst to allow it to choose svirt labels
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cole Robinson wrote:
Daniel J Walsh wrote:
The patch didn't apply to latest upstream (there has been a lot of code
movement recently). I rediffed the patch to apply against current tip,
and made a few minor changes that don't change the overall result
(mentioned below).
> Also found at least one big bug in python-virtinst, VirtualDisk.py was
> dropping the "/" between dirname and basename of installation object,
> when you told it to create the object.
>
This is already fixed upstream. You also had a minor bug fix in the
Installer class that is fixed as well, so I dropped both pieces.
Ok, My patch was against the F11 released version obviously.
> I think we want to have a big switch stored in libvirt somewhere
saying
> whether or not we want isolated virtual machines.
>
I think this should really be at the management tool level (i.e,
virt-manager). libvirt should be dumb in this respect, being passed a
label via the xml and doing with it what it's told.
I disagree. The management of labeling and the database are too
difficult, since the user might later want to turn it on. We would not
be able to change from one setting to the other if the labels and
labeling are not in place. The current rawhide policy would work with
SELinux whether or not the libvirt calls the setexeccon call. So we can
easily turn on the separated virtual machines and turn it off.
I figure, virt-manager can have an option in Edit->Preferences,
something like "Isolate virtual machines with SELinux". Defaults to on.
If selinux isn't running, we disable the option with a tooltip
explaining why (or maybe hide it altogether). If the option is enabled,
virt-manager will assign labels to VMs at install time, and check all
active connections to avoid label collisions. More advanced behavior can
come later (assigning specific labels, some sort of collision
resolution with VMs on new connections, etc.)
But now if you turn it off after adding a couple of machines, you would
have some with labels and some without.
Updated patch attached, I'll reply with patch specific comments
later.
Thanks,
Cole
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmi5jgACgkQrlYvE4MpobMY3QCfQjDAIyTDzwv7AnAu5GqycZoh
GZAAn1Q8oFb5bxDAuvov8jmYnX3OkrkA
=y1Y1
-----END PGP SIGNATURE-----