Re: [libvirt] [PATCH] security: don't try to restore label on NFS if label failed

On 12/06/2011 03:33 AM, Daniel P. Berrange wrote: My syntax was completely internal (never exposed to the user, and only set by the selinux driver when we detect inability to label but the virt_use_nfs bool lets operation proceed anyway). That said, I like your idea better, of making it user-configurable; I'd also like to add this attribute on other locations, such as things like <os>/<kernel>, backing files for <serial type='file'>, certificate files for <smartcard>, pass-through PCI and USB devices, and so on. I'll start on a v2 along these lines. For the relabel attribute, I think we need to treat it as a tri-state: missing (the default, and back-compatible to existing XML) is to use the domain defaults. The user can request explicit labeling via 'yes' (hard failure if labeling is not possible, even if virt_use_nfs would otherwise allow access without a label), explicit lack of labeling via 'no' (no labeling is attempted, even on non-NFS that would otherwise support it). Additionally, libvirt will update the live XML to list relabel='no' in situations where the attribute is missing from the config xml and labeling failed (for NFS), while leaving relabel omitted on a successful label. or the default from the domain-global <seclabel> element. -- Eric Blake eblake(a)redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org