[libvirt] [PATCH 0/2] Don't lose running domains configured with no seclabel

Jiri Denemark jdenemar at redhat.com
Tue Feb 7 20:10:41 UTC 2012

It's not exactly obvious but these two patches fix quite an ugly bug affecting
setups without any useful security driver (i.e., either explicitly or
implicitly using driver 'none').

When a domain is defined without any <seclabel> element in its XML and started
by libvirt, an incorrect <seclabel> element is put into its runtime XML
configuration which causes such domain to disappear from libvirt when libvirtd
is restarted. Without these patches, the incorrect element is

    <seclabel type='dynamic' relabel='yes'/>

after applying patch 2/2, the element is

    <seclabel type='none' relabel='yes'/>

which is still wrong and after applying both of these patches, correct element

    <seclabel type='none'/>

is placed into the runtime XML configuration.

Jiri Denemark (2):
  seclabel: Do not output relabel attribute for type 'none'
  security: Driver 'none' cannot create confined guests

 src/conf/domain_conf.c                             |    9 +++++----
 src/security/security_manager.c                    |   20 ++++++++++++++++++++
 .../qemuxml2argv-seclabel-none.xml                 |    2 +-
 tests/seclabeltest.c                               |    2 +-
 4 files changed, 27 insertions(+), 6 deletions(-)


More information about the libvir-list mailing list