Allow using seclabels the same way as disk images allow it. Currently
the snapshot code copies the seclabels from the original image if no
seclabel is provided. Also there's no code change required as the
snapshot XML parser actually uses parts of the disk parser thus
seclabels are already parsed and formatted and even applied thus this is
just a formalization of our support for this.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
docs/formatsnapshot.html.in | 12 ++++++++++++
docs/schemas/domainsnapshot.rng | 6 ++++++
.../{disk-seclabel-invalid.xml => disk-seclabel.xml} | 0
3 files changed, 18 insertions(+)
rename tests/domainsnapshotxml2xmlin/{disk-seclabel-invalid.xml => disk-seclabel.xml} (100%)
diff --git a/docs/formatsnapshot.html.in b/docs/formatsnapshot.html.in
index a19e91b4d5..92cc566467 100644
--- a/docs/formatsnapshot.html.in
+++ b/docs/formatsnapshot.html.in
@@ -170,6 +170,12 @@
snapshots, the original file name becomes the read-only
snapshot, and the new file name contains the read-write
delta of all disk changes since the snapshot.
+ <p/>
+ The <code>source</code> element also may contain the
+ <code>seclabel</code> element (described in the
+ <a href="formatdomain.html#seclabel">domain XML documentation</a>)
+ which can be used to override the domain security labeling policy
+ for <code>source</code>.
</dd>
<dt><code>driver</code></dt>
<dd>An optional sub-element <code>driver</code>,
@@ -177,6 +183,7 @@
as qcow2), of the new file created by the external
snapshot of the new file.
</dd>
+ <dt><code>seclabel</code></dt>
</dl>
<span class="since">Since 1.2.2</span> the <code>disk</code> element
@@ -259,6 +266,11 @@
<source file='/path/to/new'/>
</disk>
<disk name='vdb' snapshot='no'/>
+ <disk name='vdc'>
+ <source file='/path/to/newc'>
+ <seclabel model='dac' relabel='no'/>
+ </source>
+ </disk>
</disks>
</domainsnapshot></pre>
diff --git a/docs/schemas/domainsnapshot.rng b/docs/schemas/domainsnapshot.rng
index 8863d99578..8e39feb229 100644
--- a/docs/schemas/domainsnapshot.rng
+++ b/docs/schemas/domainsnapshot.rng
@@ -157,6 +157,9 @@
<optional>
<ref name='storageStartupPolicy'/>
</optional>
+ <zeroOrMore>
+ <ref name='devSeclabel'/>
+ </zeroOrMore>
<empty/>
</element>
</optional>
@@ -173,6 +176,9 @@
<attribute name="dev">
<ref name="absFilePath"/>
</attribute>
+ <zeroOrMore>
+ <ref name='devSeclabel'/>
+ </zeroOrMore>
<empty/>
</element>
</optional>
diff --git a/tests/domainsnapshotxml2xmlin/disk-seclabel-invalid.xml b/tests/domainsnapshotxml2xmlin/disk-seclabel.xml
similarity index 100%
rename from tests/domainsnapshotxml2xmlin/disk-seclabel-invalid.xml
rename to tests/domainsnapshotxml2xmlin/disk-seclabel.xml
--
2.21.0
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On 6/20/19 8:51 AM, Peter Krempa wrote: > Allow using seclabels the same way as disk images allow it. Currently > the snapshot code copies the seclabels from the original image if no > seclabel is provided. Also there's no code change required as the > snapshot XML parser actually uses parts of the disk parser thus > seclabels are already parsed and formatted and even applied thus this is > just a formalization of our support for this. Yay! The backup code needs this too, so I get to reuse this change. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2026 Red Hat, Inc.