1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00

Don't autogenerate seclabels of type 'none'

When security drivers are active but confinement is not enabled,
there is no need to autogenerate <seclabel> elements when starting
a domain def that contains no <seclabel> elements. In fact,
autogenerating the elements can result in needless save/restore and
migration failures when the security driver is not active on the
restore/migration target.

This patch changes the virSecurityManagerGenLabel function in
src/security_manager.c to only autogenerate a <seclabel> element
if none is already defined for the domain *and* default
confinement is enabled. Otherwise the needless <seclabel>
autogeneration is skipped.

Resolves: https://bugzilla.opensuse.org/show_bug.cgi?id=1051017
This commit is contained in:
Jim Fehlig 2017-08-16 15:46:55 -06:00
parent ff7e0a1a40
commit 0f1993aa15

View File

@ -650,31 +650,33 @@ virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
for (i = 0; sec_managers[i]; i++) {
generated = false;
seclabel = virDomainDefGetSecurityLabelDef(vm, sec_managers[i]->drv->name);
if (!seclabel) {
if (!(seclabel = virSecurityLabelDefNew(sec_managers[i]->drv->name)))
goto cleanup;
generated = seclabel->implicit = true;
}
if (seclabel->type == VIR_DOMAIN_SECLABEL_DEFAULT) {
if (virSecurityManagerGetDefaultConfined(sec_managers[i])) {
seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
} else {
seclabel->type = VIR_DOMAIN_SECLABEL_NONE;
seclabel->relabel = false;
}
}
if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) {
if (virSecurityManagerGetRequireConfined(sec_managers[i])) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("Unconfined guests are not allowed on this host"));
goto cleanup;
} else if (vm->nseclabels && generated) {
VIR_DEBUG("Skipping auto generated seclabel of type none");
virSecurityLabelDefFree(seclabel);
seclabel = NULL;
if (seclabel == NULL) {
/* Only generate seclabel if confinement is enabled */
if (!virSecurityManagerGetDefaultConfined(sec_managers[i])) {
VIR_DEBUG("Skipping auto generated seclabel");
continue;
} else {
if (!(seclabel = virSecurityLabelDefNew(sec_managers[i]->drv->name)))
goto cleanup;
generated = seclabel->implicit = true;
seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
}
} else {
if (seclabel->type == VIR_DOMAIN_SECLABEL_DEFAULT) {
if (virSecurityManagerGetDefaultConfined(sec_managers[i])) {
seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
} else {
seclabel->type = VIR_DOMAIN_SECLABEL_NONE;
seclabel->relabel = false;
}
}
if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) {
if (virSecurityManagerGetRequireConfined(sec_managers[i])) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("Unconfined guests are not allowed on this host"));
goto cleanup;
}
}
}