doc: Clarify usage of SELinux baselabel

State what fields are used when generating SELinux labels from a baselabel.
2024-08-28 11:31:16 +00:00 · 2013-04-24 15:25:06 +02:00 · 2013-04-24 15:25:06 +02:00 · 278a833922
commit 278a833922
parent 45d6c67143
1 changed files with 10 additions and 2 deletions
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@ -4600,8 +4600,16 @@ qemu-kvm -net nic,model=? /dev/null
      </dd>
      <dt><code>baselabel</code></dt>
      <dd>If dynamic labelling is used, this can optionally be
-        used to specify the base security label. The format
-        of the content depends on the security driver in use.
+        used to specify the base security label that will be used to generate
+        the actual label. The format of the content depends on the security
+        driver in use.
+
+        The SELinux driver uses only the <code>type</code> field of the
+        baselabel in the generated label. Other fields are inherited from
+        the parent process when using SELinux baselabels.
+
+        (The example above demonstrates the use of <code>my_svirt_t</code>
+        as the value for the <code>type</code> field.)
      </dd>
      <dt><code>imagelabel</code></dt>
      <dd>This is an output only element, which shows the