From 3883ef0360650ba9c5e9d764bec5b6caedb0cd14 Mon Sep 17 00:00:00 2001 From: Jiri Denemark Date: Wed, 25 Jul 2012 14:38:27 +0200 Subject: [PATCH] security: Skip labeling resources when seclabel defaults to none If a domain is explicitly configured with we correctly ensure that no labeling will be done by setting norelabel=true. However, if no seclabel element is present in domain XML and hypervisor is configured not to confine domains by default, we only set type to "none" without turning off relabeling. Thus if such a domain is being started, security driver wants to relabel resources with default label, which doesn't make any sense. Moreover, with SELinux security driver, the generated image label lacks "s0" sensitivity, which causes setfilecon() fail with EINVAL in enforcing mode. (cherry picked from commit ce53382ba28179d3a504b29b4f888b6e130d53f0) --- src/security/security_manager.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 0a43458d78..8bf1fcc342 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -296,10 +296,12 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm) { if (vm->seclabel.type == VIR_DOMAIN_SECLABEL_DEFAULT) { - if (mgr->defaultConfined) + if (mgr->defaultConfined) { vm->seclabel.type = VIR_DOMAIN_SECLABEL_DYNAMIC; - else + } else { vm->seclabel.type = VIR_DOMAIN_SECLABEL_NONE; + vm->seclabel.norelabel = true; + } } if ((vm->seclabel.type == VIR_DOMAIN_SECLABEL_NONE) &&