[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] None seclabel question


I was discussing with Jiri Denemark about the current behavior of none seclabels with multiple security drivers and I'd like to hear more opinions about how this should work.

Currently, a none security label can be defined specifically to each enabled security driver. For example, using a default configuration (in which SELinux is enabled as default driver and DAC is enabled due to privileged mode), a guest definition can contain the following seclabel:

    <seclabel type='none' model='selinux'/>

This will disable SELinux labeling and will keep labeling enabled for any other security drivers (DAC in this case).

So, my question is: should none seclabels affect specific drivers (as done now) or just one none seclabel should be accepted affecting all security drivers in use?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]