libvirt/src/conf
Daniel P. Berrange b170eb99f5 Add two new security label types
Curently security labels can be of type 'dynamic' or 'static'.
If no security label is given, then 'dynamic' is assumed. The
current code takes advantage of this default, and avoids even
saving <seclabel> elements with type='dynamic' to disk. This
means if you temporarily change security driver, the guests
can all still start.

With the introduction of sVirt to LXC though, there needs to be
a new default of 'none' to allow unconfined LXC containers.

This patch introduces two new security label types

 - default:  the host configuration decides whether to run the
             guest with type 'none' or 'dynamic' at guest start
 - none:     the guest will run unconfined by security policy

The 'none' label type will obviously be undesirable for some
deployments, so a new qemu.conf option allows a host admin to
mandate confined guests. It is also possible to turn off default
confinement

  security_default_confined = 1|0  (default == 1)
  security_require_confined = 1|0  (default == 0)

* src/conf/domain_conf.c, src/conf/domain_conf.h: Add new
  seclabel types
* src/security/security_manager.c, src/security/security_manager.h:
  Set default sec label types
* src/security/security_selinux.c: Handle 'none' seclabel type
* src/qemu/qemu.conf, src/qemu/qemu_conf.c, src/qemu/qemu_conf.h,
  src/qemu/libvirtd_qemu.aug: New security config options
* src/qemu/qemu_driver.c: Tell security driver about default
  config
2012-02-02 17:44:37 -07:00
..
capabilities.c Rename virXXXXMacAddr to virMacAddrXXX 2012-01-27 17:53:44 +00:00
capabilities.h Move virMacAddrXXX functions to src/util/virmacaddr.[ch] 2012-01-27 17:56:10 +00:00
cpu_conf.c cpu: Update guest CPU in host-* mode 2012-01-17 11:42:56 +01:00
cpu_conf.h cpu: Update guest CPU in host-* mode 2012-01-17 11:42:56 +01:00
domain_audit.c Rename virXXXXMacAddr to virMacAddrXXX 2012-01-27 17:53:44 +00:00
domain_audit.h snapshot: make it possible to audit external snapshot 2011-09-05 07:03:05 -06:00
domain_conf.c Add two new security label types 2012-02-02 17:44:37 -07:00
domain_conf.h Add two new security label types 2012-02-02 17:44:37 -07:00
domain_event.c events: Return the correct number of registered events 2012-01-13 13:59:48 -07:00
domain_event.h Only add the timer when a callback is registered 2011-12-19 11:08:25 +00:00
domain_nwfilter.c Pass the VM's UUID into the nwfilter subsystem 2011-12-08 21:35:20 -05:00
domain_nwfilter.h Pass the VM's UUID into the nwfilter subsystem 2011-12-08 21:35:20 -05:00
interface_conf.c conf: Improve incorrect root element error messages 2011-11-28 15:12:37 +01:00
interface_conf.h interface: implement a test driver for network config transaction API. 2011-05-27 14:34:13 -04:00
netdev_bandwidth_conf.c Split src/util/network.{c,h} into 5 pieces 2011-11-15 10:27:54 +00:00
netdev_bandwidth_conf.h Split src/util/network.{c,h} into 5 pieces 2011-11-15 10:27:54 +00:00
netdev_vport_profile_conf.c maint: typo fixes 2011-12-01 16:08:34 -07:00
netdev_vport_profile_conf.h Split src/util/network.{c,h} into 5 pieces 2011-11-15 10:27:54 +00:00
network_conf.c Rename virXXXXMacAddr to virMacAddrXXX 2012-01-27 17:53:44 +00:00
network_conf.h Move virMacAddrXXX functions to src/util/virmacaddr.[ch] 2012-01-27 17:56:10 +00:00
node_device_conf.c npiv: Expose fabric_name outside 2011-12-07 18:42:08 +08:00
node_device_conf.h npiv: Expose fabric_name outside 2011-12-07 18:42:08 +08:00
nwfilter_conf.c Rename virXXXXMacAddr to virMacAddrXXX 2012-01-27 17:53:44 +00:00
nwfilter_conf.h nwfilter: Force instantiation of filters upon driver reload 2012-01-27 08:19:58 -05:00
nwfilter_params.c build: avoid spurious compiler warning 2012-01-11 06:32:52 -07:00
nwfilter_params.h Rename hash.h and hash.c to virhash.h and virhash.c 2012-01-26 14:11:13 +00:00
secret_conf.c conf: Improve incorrect root element error messages 2011-11-28 15:12:37 +01:00
secret_conf.h secret: add Ceph secret type 2011-10-28 11:34:17 -06:00
storage_conf.c Fix storage pool source comparison to avoid comparing with self 2011-11-01 11:13:29 +00:00
storage_conf.h storage: make previous leak less likely to regress 2011-10-24 19:42:49 -06:00
storage_encryption_conf.c snapshot: simplify indentation of disk encryption xml 2011-10-26 11:14:43 -06:00
storage_encryption_conf.h snapshot: simplify indentation of disk encryption xml 2011-10-26 11:14:43 -06:00