mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-03-07 17:28:15 +00:00
Don't autogenerate seclabels of type 'none'
When security drivers are active but confinement is not enabled, there is no need to autogenerate <seclabel> elements when starting a domain def that contains no <seclabel> elements. In fact, autogenerating the elements can result in needless save/restore and migration failures when the security driver is not active on the restore/migration target. This patch changes the virSecurityManagerGenLabel function in src/security_manager.c to only autogenerate a <seclabel> element if none is already defined for the domain *and* default confinement is enabled. Otherwise the needless <seclabel> autogeneration is skipped. Resolves: https://bugzilla.opensuse.org/show_bug.cgi?id=1051017
This commit is contained in:
parent
ff7e0a1a40
commit
0f1993aa15
@ -650,31 +650,33 @@ virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
|
||||
for (i = 0; sec_managers[i]; i++) {
|
||||
generated = false;
|
||||
seclabel = virDomainDefGetSecurityLabelDef(vm, sec_managers[i]->drv->name);
|
||||
if (!seclabel) {
|
||||
if (!(seclabel = virSecurityLabelDefNew(sec_managers[i]->drv->name)))
|
||||
goto cleanup;
|
||||
generated = seclabel->implicit = true;
|
||||
}
|
||||
|
||||
if (seclabel->type == VIR_DOMAIN_SECLABEL_DEFAULT) {
|
||||
if (virSecurityManagerGetDefaultConfined(sec_managers[i])) {
|
||||
seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
||||
} else {
|
||||
seclabel->type = VIR_DOMAIN_SECLABEL_NONE;
|
||||
seclabel->relabel = false;
|
||||
}
|
||||
}
|
||||
|
||||
if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) {
|
||||
if (virSecurityManagerGetRequireConfined(sec_managers[i])) {
|
||||
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||
_("Unconfined guests are not allowed on this host"));
|
||||
goto cleanup;
|
||||
} else if (vm->nseclabels && generated) {
|
||||
VIR_DEBUG("Skipping auto generated seclabel of type none");
|
||||
virSecurityLabelDefFree(seclabel);
|
||||
seclabel = NULL;
|
||||
if (seclabel == NULL) {
|
||||
/* Only generate seclabel if confinement is enabled */
|
||||
if (!virSecurityManagerGetDefaultConfined(sec_managers[i])) {
|
||||
VIR_DEBUG("Skipping auto generated seclabel");
|
||||
continue;
|
||||
} else {
|
||||
if (!(seclabel = virSecurityLabelDefNew(sec_managers[i]->drv->name)))
|
||||
goto cleanup;
|
||||
generated = seclabel->implicit = true;
|
||||
seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
||||
}
|
||||
} else {
|
||||
if (seclabel->type == VIR_DOMAIN_SECLABEL_DEFAULT) {
|
||||
if (virSecurityManagerGetDefaultConfined(sec_managers[i])) {
|
||||
seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
||||
} else {
|
||||
seclabel->type = VIR_DOMAIN_SECLABEL_NONE;
|
||||
seclabel->relabel = false;
|
||||
}
|
||||
}
|
||||
|
||||
if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) {
|
||||
if (virSecurityManagerGetRequireConfined(sec_managers[i])) {
|
||||
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||
_("Unconfined guests are not allowed on this host"));
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user