security: Do not restore labels on device tree binary

A device tree binary file specified by /domain/os/dtb element is a read-only resource similar to kernel and initrd files. We shouldn't restore its label when destroying a domain to avoid breaking other domains configure with the same device tree. Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2024-12-22 13:45:38 +00:00 · 2016-01-15 16:34:37 +01:00 · 2016-01-15 16:34:37 +01:00 · 8f0a15727f
commit 8f0a15727f
parent 68acc701bd
2 changed files with 0 additions and 8 deletions
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@ -1128,10 +1128,6 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
        virSecurityDACRestoreFileLabel(priv, def->os.loader->nvram) < 0)
        rc = -1;

-    if (def->os.dtb &&
-        virSecurityDACRestoreFileLabel(priv, def->os.dtb) < 0)
-        rc = -1;
-
    return rc;
 }

--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -2034,10 +2034,6 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
        virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
        rc = -1;

-    if (def->os.dtb &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb) < 0)
-        rc = -1;
-
    return rc;
 }