Support seclabels for volume type disk

"seclabels" is only valid for 'file' or 'block' type storage volume.

docs/formatdomain.html.in

@@ -1439,11 +1439,13 @@
         path to the file holding the disk. If the disk
         <code>type</code> is "block", then the <code>dev</code>
         attribute specifies the path to the host device to serve as
-        the disk. With both "file" and "block", one or more optional
+        the disk. With "file", "block", and "volume", one or more optional
         sub-elements <code>seclabel</code>, <a href="#seclabel">described
         below</a> (and <span class="since">since 0.9.9</span>), can be
         used to override the domain security labeling policy for just
-        that source file.  If the disk <code>type</code> is "dir", then the
+        that source file. (NB, for "volume" type disk, <code>seclabel</code>
+        is only valid when the specified storage volume is of 'file' or
+        'block' type).  If the disk <code>type</code> is "dir", then the
         <code>dir</code> attribute specifies the fully-qualified path
         to the directory to use as the disk. If the disk <code>type</code>
         is "network", then the <code>protocol</code> attribute specifies

docs/schemas/domaincommon.rng

@@ -1123,6 +1123,9 @@
                 <optional>
                   <ref name="startupPolicy"/>
                 </optional>
+                <optional>
+                  <ref name='devSeclabel'/>
+                </optional>
               </element>
             </optional>
             <ref name="diskspec"/>

src/conf/domain_conf.c

@@ -13020,16 +13020,24 @@ virDomainDiskSourceDefFormat(virBufferPtr buf,
             }
             break;
         case VIR_DOMAIN_DISK_TYPE_VOLUME:
-            /* Parsing guarantees the def->srcpool->volume cannot be NULL
-             * if def->srcpool->pool is not NULL.
-             */
+            virBufferAddLit(buf, "      <source");
+
             if (def->srcpool)
-                virBufferAsprintf(buf, "      <source pool='%s' volume='%s'",
+                virBufferAsprintf(buf, " pool='%s' volume='%s'",
                                   def->srcpool->pool, def->srcpool->volume);
             if (def->startupPolicy)
-                virBufferEscapeString(buf, " startupPolicy='%s'/>\n", startupPolicy);
-            else
+                virBufferEscapeString(buf, " startupPolicy='%s'", startupPolicy);
+
+            if (def->nseclabels) {
+                virBufferAddLit(buf, ">\n");
+                virBufferAdjustIndent(buf, 8);
+                for (n = 0; n < def->nseclabels; n++)
+                    virSecurityDeviceLabelDefFormat(buf, def->seclabels[n]);
+                virBufferAdjustIndent(buf, -8);
+                virBufferAddLit(buf, "      </source>\n");
+            } else {
                 virBufferAddLit(buf, "/>\n");
+            }
             break;
         default:
             virReportError(VIR_ERR_INTERNAL_ERROR,

tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml

@@ -15,7 +15,11 @@
   <devices>
     <emulator>/usr/bin/qemu</emulator>
     <disk type='volume' device='cdrom'>
-      <source pool='blk-pool0' volume='blk-pool0-vol0' startupPolicy='optional'/>
+      <source pool='blk-pool0' volume='blk-pool0-vol0' startupPolicy='optional'>
+        <seclabel model='selinux' relabel='yes'>
+          <label>system_u:system_r:public_content_t:s0</label>
+        </seclabel>
+      </source>
       <target dev='hda' bus='ide'/>
       <readonly/>
       <address type='drive' controller='0' bus='0' target='0' unit='1'/>