[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] None seclabel question



On Tue, Sep 04, 2012 at 10:22:56 +0100, Daniel P. Berrange wrote:
> On Mon, Sep 03, 2012 at 12:57:50PM -0300, Marcelo Cerri wrote:
> > Hi,
> > 
> > I was discussing with Jiri Denemark about the current behavior of
> > none seclabels with multiple security drivers and I'd like to hear
> > more opinions about how this should work.
> > 
> > Currently, a none security label can be defined specifically to each
> > enabled security driver. For example, using a default configuration
> > (in which SELinux is enabled as default driver and DAC is enabled
> > due to privileged mode), a guest definition can contain the
> > following seclabel:
> > 
> >     <seclabel type='none' model='selinux'/>
> > 
> > This will disable SELinux labeling and will keep labeling enabled
> > for any other security drivers (DAC in this case).
> > 
> > So, my question is: should none seclabels affect specific drivers
> > (as done now) or just one none seclabel should be accepted affecting
> > all security drivers in use?
> 
> No, as with your example above, the type=none is scoped to a specific
> driver.

And what happens if you have older libvirt and a domain configured with
<seclabel type='none'/> and upgrade libvirt to the state when it actually
enables more than one security driver at a time. Shouldn't such generic
<seclabel type='none'/> actually turn off any labeling, that is, affect all
the enabled drivers?

Jirka


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]