[libvirt] [PATCH] security: don't try to restore label on NFS if label failed

[Daniel P. Berrange]

On Mon, Dec 05, 2011 at 05:25:20PM -0700, Eric Blake wrote:
> @@ -9856,6 +9859,8 @@ virDomainDiskDefFormat(virBufferPtr buf,
>          virBufferAddLit(buf, "      <shareable/>\n");
>      if (def->transient)
>          virBufferAddLit(buf, "      <transient/>\n");
> +    if ((flags & VIR_DOMAIN_XML_INTERNAL_STATUS) && def->noSecurityLabel)
> +        virBufferAddLit(buf, "      <nolabel/>\n");
>      virBufferEscapeString(buf, "      <serial>%s</serial>\n", def->serial);
>      if (def->encryption) {
>          virBufferAdjustIndent(buf, 6);

A good motivation, but we need something a little bit more
flexible. As well as disabling re-labelling, we want to be
able to override the security label per disk. I think we
should thus use a syntax that is more general & is aligned
with the existing <seclabel> element syntax. ie

   <seclabel relabel='yes|no'>
     <baselabel>foo_u:foo_r:foo_t:s0</baselabel>
   </seclabel>

(base label overrides the default obtained from the file
 /etc/selinux/targetted/context/virtual_image_context)

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|