[libvirt] [PATCH] selinux: Do not automatically label images of unconfined domains
Jiri Denemark
jdenemar at redhat.com
Wed Jul 25 09:41:27 UTC 2012
When an unconfined domain is begin started, it doesn't make any sense to
automatically relabel its disk images with the default label. Morever,
doing so would fail because the generated label would be generated
without the "s0" sensitivity (since mcs is NULL in this case).
---
src/security/security_selinux.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ca19b70..02808a4 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -370,8 +370,13 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
goto cleanup;
}
- if (!def->seclabel.norelabel) {
- def->seclabel.imagelabel = virSecuritySELinuxGenNewContext(data->file_context, mcs);
+ /* Generating image label does not make any sense if the domain itself
+ * will not be labeled.
+ */
+ if (def->seclabel.type != VIR_DOMAIN_SECLABEL_NONE &&
+ !def->seclabel.norelabel) {
+ def->seclabel.imagelabel =
+ virSecuritySELinuxGenNewContext(data->file_context, mcs);
if (!def->seclabel.imagelabel) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot generate selinux context for %s"), mcs);
--
1.7.11.1
More information about the libvir-list
mailing list