Re: [libvirt] [PATCH] security: don't try to restore label on NFS if label failed
On Mon, Dec 05, 2011 at 05:25:20PM -0700, Eric Blake wrote:
@@ -9856,6 +9859,8 @@ virDomainDiskDefFormat(virBufferPtr buf,
virBufferAddLit(buf, " <shareable/>\n");
if (def->transient)
virBufferAddLit(buf, " <transient/>\n");
+ if ((flags & VIR_DOMAIN_XML_INTERNAL_STATUS) &&
def->noSecurityLabel)
+ virBufferAddLit(buf, " <nolabel/>\n");
virBufferEscapeString(buf, " <serial>%s</serial>\n",
def->serial);
if (def->encryption) {
virBufferAdjustIndent(buf, 6);
A good motivation, but we need something a little bit more
flexible. As well as disabling re-labelling, we want to be
able to override the security label per disk. I think we
should thus use a syntax that is more general & is aligned
with the existing <seclabel> element syntax. ie
<seclabel relabel='yes|no'>
<baselabel>foo_u:foo_r:foo_t:s0</baselabel>
</seclabel>
(base label overrides the default obtained from the file
/etc/selinux/targetted/context/virtual_image_context)
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|