[libvirt] [PATCH] security: don't try to restore label on NFS if label failed
Daniel P. Berrange
berrange at redhat.com
Tue Dec 6 10:33:10 UTC 2011
On Mon, Dec 05, 2011 at 05:25:20PM -0700, Eric Blake wrote:
> @@ -9856,6 +9859,8 @@ virDomainDiskDefFormat(virBufferPtr buf,
> virBufferAddLit(buf, " <shareable/>\n");
> if (def->transient)
> virBufferAddLit(buf, " <transient/>\n");
> + if ((flags & VIR_DOMAIN_XML_INTERNAL_STATUS) && def->noSecurityLabel)
> + virBufferAddLit(buf, " <nolabel/>\n");
> virBufferEscapeString(buf, " <serial>%s</serial>\n", def->serial);
> if (def->encryption) {
> virBufferAdjustIndent(buf, 6);
A good motivation, but we need something a little bit more
flexible. As well as disabling re-labelling, we want to be
able to override the security label per disk. I think we
should thus use a syntax that is more general & is aligned
with the existing <seclabel> element syntax. ie
<seclabel relabel='yes|no'>
<baselabel>foo_u:foo_r:foo_t:s0</baselabel>
</seclabel>
(base label overrides the default obtained from the file
/etc/selinux/targetted/context/virtual_image_context)
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list