xenbits.xensource.com Git - libvirt.git/commit

author	Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
	Tue, 2 Oct 2012 17:57:36 +0000 (14:57 -0300)
committer	Peter Krempa <pkrempa@redhat.com>
	Wed, 3 Oct 2012 10:15:03 +0000 (12:15 +0200)
commit	60469dd10f97fcba60f0eeeae6965b83fbb9d652
tree	421dbe437d19dd94f2e68bcf712d724126d05955	tree
parent	814a8deaa1529e1bc09b5c38e6cd625f9c2fed6b	commit \| diff

security: also parse user/group names instead of just IDs for DAC labels

The DAC driver is missing parsing of group and user names for DAC labels
and currently just parses uid and gid. This patch extends it to support
names, so the following security label definition is now valid:

  <seclabel type='static' model='dac' relabel='yes'>
      <label>qemu:qemu</label>
      <imagelabel>qemu:qemu</imagelabel>
  </seclabel>

When it tries to parse an owner or a group, it first tries to resolve it as
a name, if it fails or it's an invalid user/group name then it tries to
parse it as an UID or GID. A leading '+' can also be used for both owner and
group to force it to be parsed as IDs, so the following example is also
valid:

  <seclabel type='static' model='dac' relabel='yes'>
      <label>+101:+101</label>
      <imagelabel>+101:+101</imagelabel>
  </seclabel>

This ensures that UID 101 and GUI 101 will be used instead of an user or
group named "101".