mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-03-07 17:28:15 +00:00
Don't autogenerate seclabels of type 'none'
When security drivers are active but confinement is not enabled, there is no need to autogenerate <seclabel> elements when starting a domain def that contains no <seclabel> elements. In fact, autogenerating the elements can result in needless save/restore and migration failures when the security driver is not active on the restore/migration target. This patch changes the virSecurityManagerGenLabel function in src/security_manager.c to only autogenerate a <seclabel> element if none is already defined for the domain *and* default confinement is enabled. Otherwise the needless <seclabel> autogeneration is skipped. Resolves: https://bugzilla.opensuse.org/show_bug.cgi?id=1051017
This commit is contained in:
parent
ff7e0a1a40
commit
0f1993aa15
@ -650,12 +650,18 @@ virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
|
|||||||
for (i = 0; sec_managers[i]; i++) {
|
for (i = 0; sec_managers[i]; i++) {
|
||||||
generated = false;
|
generated = false;
|
||||||
seclabel = virDomainDefGetSecurityLabelDef(vm, sec_managers[i]->drv->name);
|
seclabel = virDomainDefGetSecurityLabelDef(vm, sec_managers[i]->drv->name);
|
||||||
if (!seclabel) {
|
if (seclabel == NULL) {
|
||||||
|
/* Only generate seclabel if confinement is enabled */
|
||||||
|
if (!virSecurityManagerGetDefaultConfined(sec_managers[i])) {
|
||||||
|
VIR_DEBUG("Skipping auto generated seclabel");
|
||||||
|
continue;
|
||||||
|
} else {
|
||||||
if (!(seclabel = virSecurityLabelDefNew(sec_managers[i]->drv->name)))
|
if (!(seclabel = virSecurityLabelDefNew(sec_managers[i]->drv->name)))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
generated = seclabel->implicit = true;
|
generated = seclabel->implicit = true;
|
||||||
|
seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
if (seclabel->type == VIR_DOMAIN_SECLABEL_DEFAULT) {
|
if (seclabel->type == VIR_DOMAIN_SECLABEL_DEFAULT) {
|
||||||
if (virSecurityManagerGetDefaultConfined(sec_managers[i])) {
|
if (virSecurityManagerGetDefaultConfined(sec_managers[i])) {
|
||||||
seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
||||||
@ -670,11 +676,7 @@ virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
|
|||||||
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||||
_("Unconfined guests are not allowed on this host"));
|
_("Unconfined guests are not allowed on this host"));
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
} else if (vm->nseclabels && generated) {
|
}
|
||||||
VIR_DEBUG("Skipping auto generated seclabel of type none");
|
|
||||||
virSecurityLabelDefFree(seclabel);
|
|
||||||
seclabel = NULL;
|
|
||||||
continue;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user