On Thu, Feb 28, 2013 at 01:46:24PM +0000, Matthew Booth wrote:
On Thu, 2013-02-28 at 10:57 +0000, Richard W.M. Jones wrote:
> From: "Richard W.M. Jones" <rjones(a)redhat.com>
>
> This internal API sets two SELinux labels in the handle (the process
> label and the image label -- they are closely related).
>
> If using the libvirt attach-method with SELinux and sVirt, then this
> will cause the following XML to be added to the appliance definition:
>
> <seclabel type=static model=selinux relabel=yes>
> <label>[LABEL HERE]</label>
> <imagelabel>[IMAGELABEL HERE]</imagelabel>
> </seclabel>
We're hard-coding type=static, model=selinux, relabel=yes here. I have
no idea what the implications of this are. Are we sure this is ok? I
guess Dan would be the person to ask.
That's definitely one reason why this is an internal API, not a
published one :-)
At the moment my plan is to do what works (which is this), not what is
elegant or even long-term supportable. I hope in the long term we
could have some XML we could pass to libvirt to say "I want to peek
into the disks of this domain, just do it".
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages.
http://libguestfs.org