[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 0/3] Improve flexibility of SELinux labelling



On Tue, Jun 28, 2011 at 07:29:28AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 06/27/2011 08:20 AM, Daniel P. Berrange wrote:
> > This patch series adds two new features
> > 
> >  - The ability to override 'system_u:system_r:svirt_t:s0' from
> >    /etc/selinux/targeted/contexts/virtual_domain_context using
> >    the guest XML
> >  - The ability to use dynamic relabelling of resources, in combo
> >    with static VM label assignment.
> > 
> > The latter is useful for management applications which want to
> > be in full control of assigning VM labels (so that they can be
> > unique across an entire cluster of hosts for example), while
> > still benefiting from automatic relabelling of resources in the
> > XML.
> > 
> I think you might want to be a little more flexible with this.  I see
> where you would want 4 ways of doing this.

We already do options 1 and 3. These two patches I post let us also
support options 2 and 4, so I think we're sorted.

> Dynamic with  /etc/selinux/targeted/contexts/virtual_domain_context

  <seclabel type='dynamic'/>

> Dynamic with alternate TYPE, Meaning I could specify
> system_u:system_r:svirt_apache_t:s0 and then libvirt would select a MCS
> label for this context and launch
> system_u:system_r:svirt_apache_t:s0:c1,c257

   <seclabel type='dynamic'>
     <baselabel>system_u:system_r:svirt_apache_t:s0</baselabel>
   </seclabel>

> Static with no relabel.

   <seclabel type='static' relabel='no'>
     <label>system_u:system_r:svirt_apache_t:s0:c1,c257</label>
   </seclabel>

> Static with relabel.

   <seclabel type='static' relabel='yes'>
     <label>system_u:system_r:svirt_apache_t:s0:c1,c257</label>
   </seclabel>

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]