diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 928d9e6629..d468299a50 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -947,7 +947,9 @@
<devices>
<disk type='file' snapshot='external'>
<driver name="tap" type="aio" cache="default"/>
- <source file='/var/lib/xen/images/fv0' startupPolicy='optional'/>
+ <source file='/var/lib/xen/images/fv0'/ startupPolicy='optional'>
+ <seclabel relabel='no'/>
+ </source>
<target dev='hda' bus='ide'/>
<iotune>
<total_bytes_sec>10000000</total_bytes_sec>
@@ -1023,7 +1025,11 @@
path to the file holding the disk. If the disk
type
is "block", then the dev
attribute specifies the path to the host device to serve as
- the disk. If the disk type
is "dir", then the
+ the disk. With both "file" and "block", an optional
+ sub-element seclabel
, described
+ below (and since 0.9.9), can be
+ used to override the domain security labeling policy for just
+ that source file. If the disk type
is "dir", then the
dir
attribute specifies the fully-qualified path
to the directory to use as the disk. If the disk type
is "network", then the protocol
attribute specifies
@@ -1031,7 +1037,7 @@
are "nbd", "rbd", and "sheepdog". If the protocol
attribute is "rbd" or "sheepdog", an additional
attribute name
is mandatory to specify which
- image to be used. When the disk type
is
+ image will be used. When the disk type
is
"network", the source
may have zero or
more host
sub-elements used to specify the hosts
to connect.
@@ -3372,11 +3378,11 @@ qemu-kvm -net nic,model=? /dev/null
With static label assignment, by default, the administrator
or application must ensure labels are set correctly on any
resources, however, automatic relabeling can be enabled
- if desired
+ if desired.
- Valid input XML configurations for the security label + Valid input XML configurations for the top-level security label are:
@@ -3435,6 +3441,19 @@ qemu-kvm -net nic,model=? /dev/null +When relabeling is in effect, it is also possible to fine-tune
+ the labeling done for specific source file names, by either
+ disabling the labeling (useful if the file lives on NFS or other
+ file system that lacks security labeling) or requesting an
+ alternate label (useful when a management application creates a
+ special label to allow sharing of some, but not all, resources
+ between domains), since 0.9.9. When
+ a seclabel
element is attached to a specific path
+ rather than the top-level domain assignment, only the
+ attribute relabel
or the
+ sub-element label
are supported.
+
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index dd76f91f3a..7a8f7f436a 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -116,6 +116,27 @@
+