[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] doc: Clarify usage of SELinux baselabel



On 04/24/13 17:57, Eric Blake wrote:
On 04/24/2013 07:30 AM, Peter Krempa wrote:
State what fields are used when generating SELinux labels from a
baselabel.
---
  docs/formatdomain.html.in | 9 +++++++--
  1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 888c005..9118ff0 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -4596,8 +4596,13 @@ qemu-kvm -net nic,model=? /dev/null
        </dd>
        <dt><code>baselabel</code></dt>
        <dd>If dynamic labelling is used, this can optionally be
-        used to specify the base security label. The format
-        of the content depends on the security driver in use.
+        used to specify the base security label that will be used to generate
+        the actual label. The format of the content depends on the security
+        driver in use.
+
+        The SELinux driver uses only the <code>type</code> field of the
+        baselabel in the generated label. Other fields are inherited from
+        the parent process when using SELinux baselabels.

ACK - definite improvement.

Hmm - we already gave the example of:
     &lt;baselabel&gt;system_u:system_r:my_svirt_t:s0&lt;/baselabel&gt;

Would it help to mention here that in the example above, the baselabel
uses only the 'my_svirt_t' portion of the given label?


Something along:

(The example above demonstrates the use of <code>my_svirt_t</code> as the value for the <code>type</code> field.) ?

Peter


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]