security: Don't add seclabel of type none if there's already a seclabel

https://bugzilla.redhat.com/show_bug.cgi?id=923946

The <seclabel type='none'/> should be added iff there is no other
seclabel defined within a domain. This bug can be easily reproduced:
1) configure selinux seclabel for a domain
2) disable system's selinux and restart libvirtd
3) observe <seclabel type='none'/> being appended to a domain on its
   startup
This commit is contained in:
Michal Privoznik 2013-03-21 16:32:07 +01:00
parent 6c4de11614
commit e4a28a3281

View File

@ -455,11 +455,16 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
}
}
if ((seclabel->type == VIR_DOMAIN_SECLABEL_NONE) &&
sec_managers[i]->requireConfined) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("Unconfined guests are not allowed on this host"));
goto cleanup;
if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) {
if (sec_managers[i]->requireConfined) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("Unconfined guests are not allowed on this host"));
goto cleanup;
} else if (vm->nseclabels && generated) {
VIR_DEBUG("Skipping auto generated seclabel of type none");
virSecurityLabelDefFree(seclabel);
continue;
}
}
if (!sec_managers[i]->drv->domainGenSecurityLabel) {