mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-05 12:35:20 +00:00
security: Skip labeling resources when seclabel defaults to none
If a domain is explicitly configured with <seclabel type="none"/> we correctly ensure that no labeling will be done by setting norelabel=true. However, if no seclabel element is present in domain XML and hypervisor is configured not to confine domains by default, we only set type to "none" without turning off relabeling. Thus if such a domain is being started, security driver wants to relabel resources with default label, which doesn't make any sense. Moreover, with SELinux security driver, the generated image label lacks "s0" sensitivity, which causes setfilecon() fail with EINVAL in enforcing mode.
This commit is contained in:
parent
85f416fddb
commit
ce53382ba2
@ -309,10 +309,12 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
|
|||||||
virDomainDefPtr vm)
|
virDomainDefPtr vm)
|
||||||
{
|
{
|
||||||
if (vm->seclabel.type == VIR_DOMAIN_SECLABEL_DEFAULT) {
|
if (vm->seclabel.type == VIR_DOMAIN_SECLABEL_DEFAULT) {
|
||||||
if (mgr->defaultConfined)
|
if (mgr->defaultConfined) {
|
||||||
vm->seclabel.type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
vm->seclabel.type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
||||||
else
|
} else {
|
||||||
vm->seclabel.type = VIR_DOMAIN_SECLABEL_NONE;
|
vm->seclabel.type = VIR_DOMAIN_SECLABEL_NONE;
|
||||||
|
vm->seclabel.norelabel = true;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((vm->seclabel.type == VIR_DOMAIN_SECLABEL_NONE) &&
|
if ((vm->seclabel.type == VIR_DOMAIN_SECLABEL_NONE) &&
|
||||||
|
Loading…
Reference in New Issue
Block a user