mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-23 06:05:27 +00:00
security: Don't add seclabel of type none if there's already a seclabel
https://bugzilla.redhat.com/show_bug.cgi?id=923946 The <seclabel type='none'/> should be added iff there is no other seclabel defined within a domain. This bug can be easily reproduced: 1) configure selinux seclabel for a domain 2) disable system's selinux and restart libvirtd 3) observe <seclabel type='none'/> being appended to a domain on its startup
This commit is contained in:
parent
6c4de11614
commit
e4a28a3281
@ -455,11 +455,16 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
|
||||
}
|
||||
}
|
||||
|
||||
if ((seclabel->type == VIR_DOMAIN_SECLABEL_NONE) &&
|
||||
sec_managers[i]->requireConfined) {
|
||||
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||
_("Unconfined guests are not allowed on this host"));
|
||||
goto cleanup;
|
||||
if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) {
|
||||
if (sec_managers[i]->requireConfined) {
|
||||
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||
_("Unconfined guests are not allowed on this host"));
|
||||
goto cleanup;
|
||||
} else if (vm->nseclabels && generated) {
|
||||
VIR_DEBUG("Skipping auto generated seclabel of type none");
|
||||
virSecurityLabelDefFree(seclabel);
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
if (!sec_managers[i]->drv->domainGenSecurityLabel) {
|
||||
|
Loading…
Reference in New Issue
Block a user