External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-11 15:27:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Libvirt provides a portable, long term stable C API for managing the virtualization technologies provided by many operating systems. It includes support for QEMU, KVM, Xen, LXC, bhyve, Virtuozzo, VMware vCenter and ESX, VMware Desktop, Hyper-V, VirtualBox and the POWER Hypervisor.
8,939 Commits 67 Branches 630 Tags 885 MiB
C 94.8%
Python 2%
Meson 0.9%
Shell 0.8%
Dockerfile 0.6%
Other 0.8%
6cb4acce8b
Go to file
Eric Blake 6cb4acce8b seclabel: extend XML to allow per-disk label overrides 
When doing security relabeling, there are cases where a per-file
override might be appropriate.  For example, with a static label
and relabeling, it might be appropriate to skip relabeling on a
particular disk, where the backing file lives on NFS that lacks
the ability to track labeling.  Or with dynamic labeling, it might
be appropriate to use a custom (non-dynamic) label for a disk
specifically intended to be shared across domains.

The new XML resembles the top-level <seclabel>, but with fewer
options (basically relabel='no', or <label>text</label>):

<domain ...>
  ...
  <devices>
    <disk type='file' device='disk'>
      <source file='/path/to/image1'>
        <seclabel relabel='no'/> <!-- override for just this disk -->
      </source>
      ...
    </disk>
    <disk type='file' device='disk'>
      <source file='/path/to/image1'>
        <seclabel relabel='yes'> <!-- override for just this disk -->
          <label>system_u:object_r:shared_content_t:s0</label>
        </seclabel>
      </source>
      ...
    </disk>
    ...
  </devices>
  <seclabel type='dynamic' model='selinux'>
    <baselabel>text</baselabel> <!-- used for all devices without override -->
  </seclabel>
</domain>

This patch only introduces the XML and documentation; future patches
will actually parse and make use of it.  The intent is that we can
further extend things as needed, adding a per-device <seclabel> in
more places (such as the source of a console device), and possibly
allowing a <baselabel> instead of <label> for labeling where we want
to reuse the cNNN,cNNN pair of a dynamically labeled domain but a
different base label.

First suggested by Daniel P. Berrange here:
https://www.redhat.com/archives/libvir-list/2011-December/msg00258.html

* docs/schemas/domaincommon.rng (devSeclabel): New define.
(disk): Use it.
* docs/formatdomain.html.in (elementsDisks, seclabel): Document
the new XML.
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml:
New test, to validate RNG.
2011-12-30 10:57:58 +08:00
.gnulib@6b93d00f54 build: update to latest gnulib 2011-12-01 14:12:59 -07:00
daemon domiftune: Add support of new APIs to the remote driver 2011-12-29 18:25:26 +08:00
docs seclabel: extend XML to allow per-disk label overrides 2011-12-30 10:57:58 +08:00
examples examples: Update event tests for shutdown event 2011-12-05 17:35:29 +01:00
gnulib build: update to latest gnulib 2011-12-01 14:12:59 -07:00
include domiftune: Add API virDomain{S,G}etInterfaceParameters 2011-12-29 18:24:43 +08:00
m4 build: reduce warnings from older gcc 2011-12-05 10:14:55 -07:00
po Release of libvirt-0.9.8 2011-12-08 15:13:50 +08:00
python domiftune: Add API virDomain{S,G}etInterfaceParameters 2011-12-29 18:24:43 +08:00
src seclabel: move seclabel stuff earlier 2011-12-30 10:38:37 +08:00
tests seclabel: extend XML to allow per-disk label overrides 2011-12-30 10:57:58 +08:00
tools domiftune: Enable the virDomain{S,G}etInterfaceParameters in virsh 2011-12-29 18:29:25 +08:00
.dir-locals.el maint: let emacs avoid tabs in rng files 2011-08-13 08:56:26 -06:00
.gitignore Define keepalive protocol 2011-11-24 11:44:08 +01:00
.gitmodules make .gnulib a submodule 2009-07-08 16:17:51 +02:00
.mailmap maint: use mailmap, not AUTHORS, for secondary addresses 2011-11-11 08:56:19 -07:00
AUTHORS Maint: Update AUTHORs 2011-12-12 21:58:52 +08:00
autobuild.sh Disable python explicitly in mingw32 autobuild 2011-12-19 13:44:18 +00:00
autogen.sh build: allow for local gnulib diffs 2011-11-09 09:03:33 -07:00
bootstrap build: fix compilation on mingw64 2011-08-19 07:20:10 -06:00
bootstrap.conf maint: allow bootstrap in a sandbox 2011-12-08 14:37:15 -07:00
cfg.mk build: update to latest gnulib 2011-12-01 14:12:59 -07:00
ChangeLog-old generate ChangeLog from git logs into distribution tarball 2009-07-08 16:17:51 +02:00
configure.ac build: disable dtrace on non-Linux builds 2011-12-16 08:46:41 -07:00
COPYING.LIB remove all trailing blank lines 2009-07-16 15:06:42 +02:00
HACKING Document STREQ_NULLABLE and STRNEQ_NULLABLE 2011-10-06 16:50:38 +02:00
libvirt.pc.in * libvirt.pc.in: applied patch from Daniel Berrange to fix --cflags 2006-03-24 13:18:12 +00:00
libvirt.spec.in Require avahi as an rpm dependancy 2011-12-29 22:01:57 +08:00
Makefile.am maint: add missing copyright notices 2011-07-28 15:01:17 -06:00
Makefile.nonreentrant Ban use of all inet_* functions 2010-10-22 11:59:23 +01:00
mingw32-libvirt.spec.in spec: make it easier to autoreconf when building rpm 2011-12-08 09:49:50 -07:00
README Correct typos in the documentation (Atsushi SAKAI) 2008-01-24 10:15:13 +00:00
README-hacking maint: relax git minimum version 2010-02-24 14:29:27 -05:00
TODO Update todo list file to point at bugzilla/website 2010-10-13 16:45:26 +01:00

README 

         LibVirt : simple API for virtualization

  Libvirt is a C toolkit to interact with the virtualization capabilities
of recent versions of Linux (and other OSes). It is free software
available under the GNU Lesser General Public License. Virtualization of
the Linux Operating System means the ability to run multiple instances of
Operating Systems concurrently on a single hardware system where the basic
resources are driven by a Linux instance. The library aim at providing
long term stable C API initially for the Xen paravirtualization but
should be able to integrate other virtualization mechanisms if needed.

Daniel Veillard <veillard@redhat.com>