[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] security: don't try to restore label on NFS if label failed



On 12/06/2011 03:33 AM, Daniel P. Berrange wrote:
> On Mon, Dec 05, 2011 at 05:25:20PM -0700, Eric Blake wrote:
>> @@ -9856,6 +9859,8 @@ virDomainDiskDefFormat(virBufferPtr buf,
>>          virBufferAddLit(buf, "      <shareable/>\n");
>>      if (def->transient)
>>          virBufferAddLit(buf, "      <transient/>\n");
>> +    if ((flags & VIR_DOMAIN_XML_INTERNAL_STATUS) && def->noSecurityLabel)
>> +        virBufferAddLit(buf, "      <nolabel/>\n");
>>      virBufferEscapeString(buf, "      <serial>%s</serial>\n", def->serial);
>>      if (def->encryption) {
>>          virBufferAdjustIndent(buf, 6);
> 
> A good motivation, but we need something a little bit more
> flexible.

My syntax was completely internal (never exposed to the user, and only
set by the selinux driver when we detect inability to label but the
virt_use_nfs bool lets operation proceed anyway).  That said,

> As well as disabling re-labelling, we want to be
> able to override the security label per disk. I think we
> should thus use a syntax that is more general & is aligned
> with the existing <seclabel> element syntax. ie
> 
>    <seclabel relabel='yes|no'>
>      <baselabel>foo_u:foo_r:foo_t:s0</baselabel>
>    </seclabel>

I like your idea better, of making it user-configurable; I'd also like
to add this attribute on other locations, such as things like
<os>/<kernel>, backing files for <serial type='file'>, certificate files
for <smartcard>, pass-through PCI and USB devices, and so on.  I'll
start on a v2 along these lines.

For the relabel attribute, I think we need to treat it as a tri-state:
missing (the default, and back-compatible to existing XML) is to use the
domain defaults.  The user can request explicit labeling via 'yes' (hard
failure if labeling is not possible, even if virt_use_nfs would
otherwise allow access without a label), explicit lack of labeling via
'no' (no labeling is attempted, even on non-NFS that would otherwise
support it).  Additionally, libvirt will update the live XML to list
relabel='no' in situations where the attribute is missing from the
config xml and labeling failed (for NFS), while leaving relabel omitted
on a successful label.

> 
> (base label overrides the default obtained from the file
>  /etc/selinux/targetted/context/virtual_image_context)

or the default from the domain-global <seclabel> element.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]