sVirt Change Log ------------------ ----------------------------------------------------------------------------- v0.20 - 11/Dec/2008 ----------------------------------------------------------------------------- * Published TODO list: http://selinuxproject.org/page/SVirt/TODO * Rebased to current upstream: converted to new build system, locking etc. * Changed DOI format to an integer value, represented via a string, defaulting to "0". Ongoing general discussion on DOI formats and semantics may be found at: http://mail.opensolaris.org/mailman/listinfo/doi-discuss * Introduced the concept of a "security model", to more easily distinguish between security models and labels in the API. * The security model and DOI attributes are now properties of the hypervisor (instead of the domain label), and included in its host capabilities, e.g.: x86_64 selinux 0 .... Implicit here is the assumption that each hypervisor may only be associated with one security model. * Integrated security model support into "virsh capabilities". * The domain configuration label is now of the form: .... * The model attribute of the seclabel element above is validated against the host security model at runtime. * The output of "virsh dominfo" for a running labeled domain is now as follows: # dominfo sys1 Id: 1 Name: sys1 UUID: fa3c8e06-0877-2a08-06fd-f2479b7bacb0 OS Type: hvm Security model: selinux Security DOI: 0 State: running CPU(s): 1 CPU time: 24.9s Max memory: 524288 kB Used memory: 524288 kB Autostart: disable Security label: system_u:system_r:virtd_t:s0 (enforcing) * The security policy enforcing is a dynamic property of the domain security label, as it may be applied on a per-domain basis. * The main aspects to security labeling support in the library and associated data structures are as follows: Domain configuration: virDomainSecLabelDef Host capabilities: virDomainSecModel Active domain state: virDomainSecLabel -----------------------------------------------------------------------------