[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] Fix configuration of QEMU security drivers



On 08/29/2012 05:37 PM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange redhat com>
> 
> If no 'security_driver' config option was set, then the code
> just loaded the 'dac' security driver. This is a regression
> on previous behaviour, where we would probe for a possible
> security driver. ie default to SELinux if available.
> 
> This changes things so that it 'security_driver' is not set,
> we once again do probing. For simplicity we also always
> create the stack driver, even if there is only one driver
> active.
> 
> The desired semantics are:
> 
>  - security_driver not set
>      -> probe for selinux/apparmour/nop
>      -> auto-add DAC driver
>  - security_driver set to a string
>      -> add that one driver
>      -> auto-add DAC driver
>  - security_driver set to a list
>      -> add all drivers in list
>      -> auto-add DAC driver
> 
> It is not allowed, or possible to specify 'dac' in the
> security_driver config param, since that is always
> enabled.

That's true when dynamic_ownership is 1.  But what happens if
dynamic_ownership is 0 (defaults to off for all guests), but for one
particular guest, I want to override that default and explicitly enable
dac for that guest?

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]