seclabel: extend XML to allow per-disk label overrides

When doing security relabeling, there are cases where a per-file
override might be appropriate.  For example, with a static label
and relabeling, it might be appropriate to skip relabeling on a
particular disk, where the backing file lives on NFS that lacks
the ability to track labeling.  Or with dynamic labeling, it might
be appropriate to use a custom (non-dynamic) label for a disk
specifically intended to be shared across domains.

The new XML resembles the top-level <seclabel>, but with fewer
options (basically relabel='no', or <label>text</label>):

<domain ...>
  ...
  <devices>
    <disk type='file' device='disk'>
      <source file='/path/to/image1'>
        <seclabel relabel='no'/> <!-- override for just this disk -->
      </source>
      ...
    </disk>
    <disk type='file' device='disk'>
      <source file='/path/to/image1'>
        <seclabel relabel='yes'> <!-- override for just this disk -->
          <label>system_u:object_r:shared_content_t:s0</label>
        </seclabel>
      </source>
      ...
    </disk>
    ...
  </devices>
  <seclabel type='dynamic' model='selinux'>
    <baselabel>text</baselabel> <!-- used for all devices without override -->
  </seclabel>
</domain>

This patch only introduces the XML and documentation; future patches
will actually parse and make use of it.  The intent is that we can
further extend things as needed, adding a per-device <seclabel> in
more places (such as the source of a console device), and possibly
allowing a <baselabel> instead of <label> for labeling where we want
to reuse the cNNN,cNNN pair of a dynamically labeled domain but a
different base label.

First suggested by Daniel P. Berrange here:
https://www.redhat.com/archives/libvir-list/2011-December/msg00258.html

* docs/schemas/domaincommon.rng (devSeclabel): New define.
(disk): Use it.
* docs/formatdomain.html.in (elementsDisks, seclabel): Document
the new XML.
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml:
New test, to validate RNG.

docs/formatdomain.html.in

@@ -947,7 +947,9 @@
   <devices>
     <disk type='file' snapshot='external'>
       <driver name="tap" type="aio" cache="default"/>
-      <source file='/var/lib/xen/images/fv0' startupPolicy='optional'/>
+      <source file='/var/lib/xen/images/fv0'/ startupPolicy='optional'>
+        <seclabel relabel='no'/>
+      </source>
       <target dev='hda' bus='ide'/>
       <iotune>
         <total_bytes_sec>10000000</total_bytes_sec>
@@ -1023,7 +1025,11 @@
         path to the file holding the disk. If the disk
         <code>type</code> is "block", then the <code>dev</code>
         attribute specifies the path to the host device to serve as
-        the disk. If the disk <code>type</code> is "dir", then the
+        the disk. With both "file" and "block", an optional
+        sub-element <code>seclabel</code>, <a href="#seclabel">described
+        below</a> (and <span class="since">since 0.9.9</span>), can be
+        used to override the domain security labeling policy for just
+        that source file.  If the disk <code>type</code> is "dir", then the
         <code>dir</code> attribute specifies the fully-qualified path
         to the directory to use as the disk. If the disk <code>type</code>
         is "network", then the <code>protocol</code> attribute specifies
@@ -1031,7 +1037,7 @@
         are "nbd", "rbd", and "sheepdog".  If the <code>protocol</code>
         attribute is "rbd" or "sheepdog", an additional
         attribute <code>name</code> is mandatory to specify which
-        image to be used.  When the disk <code>type</code> is
+        image will be used.  When the disk <code>type</code> is
         "network", the <code>source</code> may have zero or
         more <code>host</code> sub-elements used to specify the hosts
         to connect.
@@ -3372,11 +3378,11 @@ qemu-kvm -net nic,model=? /dev/null
       With static label assignment, by default, the administrator
       or application must ensure labels are set correctly on any
       resources, however, automatic relabeling can be enabled
-      if desired
+      if desired.
     </p>
 
     <p>
-      Valid input XML configurations for the security label
+      Valid input XML configurations for the top-level security label
       are:
     </p>
 
@@ -3435,6 +3441,19 @@ qemu-kvm -net nic,model=? /dev/null
       </dd>
     </dl>
 
+    <p>When relabeling is in effect, it is also possible to fine-tune
+      the labeling done for specific source file names, by either
+      disabling the labeling (useful if the file lives on NFS or other
+      file system that lacks security labeling) or requesting an
+      alternate label (useful when a management application creates a
+      special label to allow sharing of some, but not all, resources
+      between domains), <span class="since">since 0.9.9</span>.  When
+      a <code>seclabel</code> element is attached to a specific path
+      rather than the top-level domain assignment, only the
+      attribute <code>relabel</code> or the
+      sub-element <code>label</code> are supported.
+    </p>
+
     <h2><a name="examples">Example configs</a></h2>
 
     <p>

docs/schemas/domaincommon.rng

@@ -116,6 +116,27 @@
       </choice>
     </element>
   </define>
+  <define name="devSeclabel">
+    <element name="seclabel">
+      <!-- A per-device seclabel override is more limited, either
+           relabel=no or a <label> must be present.  -->
+      <choice>
+        <attribute name='relabel'>
+          <value>no</value>
+        </attribute>
+        <group>
+          <optional>
+            <attribute name='relabel'>
+              <value>yes</value>
+            </attribute>
+          </optional>
+          <element name='label'>
+            <text/>
+          </element>
+        </group>
+      </choice>
+    </element>
+  </define>
   <define name="hvs">
     <attribute name="type">
       <choice>
@@ -795,7 +816,9 @@
                 <optional>
                   <ref name="startupPolicy"/>
                 </optional>
-                <empty/>
+                <optional>
+                  <ref name='devSeclabel'/>
+                </optional>
               </element>
             </optional>
             <ref name="diskspec"/>
@@ -811,7 +834,9 @@
                 <attribute name="dev">
                   <ref name="absFilePath"/>
                 </attribute>
-                <empty/>
+                <optional>
+                  <ref name='devSeclabel'/>
+                </optional>
               </element>
             </optional>
             <ref name="diskspec"/>

tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml

@@ -0,0 +1,40 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory>219100</memory>
+  <currentMemory>219100</currentMemory>
+  <vcpu cpuset='1-4,8-20,525'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <disk type='block' device='disk'>
+      <source dev='/dev/HostVG/QEMUGuest1'>
+        <seclabel relabel='no'/>
+      </source>
+      <target dev='hda' bus='ide'/>
+      <address type='drive' controller='0' bus='0' unit='0'/>
+    </disk>
+    <disk type='block' device='disk'>
+      <source dev='/dev/HostVG/QEMUGuest2'>
+        <seclabel relabel='yes'>
+          <label>system_u:system_r:public_content_t:s0</label>
+        </seclabel>
+      </source>
+      <target dev='hdb' bus='ide'/>
+      <readonly/>
+      <address type='drive' controller='0' bus='0' unit='0'/>
+    </disk>
+    <controller type='ide' index='0'/>
+    <memballoon model='virtio'/>
+  </devices>
+  <seclabel type='dynamic' model='selinux' relabel='yes'>
+    <baselabel>system_u:system_r:svirt_custom_t:s0</baselabel>
+  </seclabel>
+</domain>