[libvirt] [PATCH] security: Skip labeling resources when seclabel defaults to none

Jiri Denemark jdenemar at redhat.com
Fri Jul 27 17:01:48 UTC 2012


On Fri, Jul 27, 2012 at 17:14:41 +0100, Daniel P. Berrange wrote:
> On Wed, Jul 25, 2012 at 03:30:28PM +0200, Jiri Denemark wrote:
> > If a domain is explicitly configured with <seclabel type="none"/> we
> > correctly ensure that no labeling will be done by setting
> > norelabel=true. However, if no seclabel element is present in domain XML
> > and hypervisor is configured not to confine domains by default, we only
> > set type to "none" without turning off relabeling. Thus if such a domain
> > is being started, security driver wants to relabel resources with
> > default label, which doesn't make any sense.
> > 
> > Moreover, with SELinux security driver, the generated image label lacks
> > "s0" sensitivity, which causes setfilecon() fail with EINVAL in
> > enforcing mode.
> 
> ACK, I see if the user requested type=none in the XML, then we
> have already set norelabel = true, in the XML parser.

Thanks, pushed.

Jirka




More information about the libvir-list mailing list