[libvirt] [PATCH] selinux: distinguish failure to label from request to avoid label
Eric Blake
eblake at redhat.com
Mon Aug 19 17:28:00 UTC 2013
ping
On 08/12/2013 10:19 PM, Eric Blake wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=924153
>
> Commit 904e05a2 (v0.9.9) added a per-<disk> seclabel element with
> an attribute relabel='no' in order to try and minimize the
> impact of shutdown delays when an NFS server disappears. The idea
> was that if a disk is on NFS and can't be labeled in the first
> place, there is no need to attempt the (no-op) relabel on domain
> shutdown. Unfortunately, the way this was implemented was by
> modifying the domain XML so that the optimization would survive
> libvirtd restart, but in a way that is indistinguishable from an
> explicit user setting. Furthermore, once the setting is turned
> on, libvirt avoids attempts at labeling, even for operations like
> snapshot or blockcopy where the chain is being extended or pivoted
> onto non-NFS, where SELinux labeling is once again possible. As
> a result, it was impossible to do a blockcopy to pivot from an
> NFS image file onto a local file.
>
> The solution is to separate the semantics of a chain that must
> not be labeled (which the user can set even on persistent domains)
> vs. the optimization of not attempting a relabel on cleanup (a
> live-only annotation), and using only the user's explicit notation
> rather than the optimization as the decision on whether to skip
> a label attempt in the first place. When upgrading an older
> libvirtd to a newer, an NFS volume will still attempt the relabel;
> but as the avoidance of a relabel was only an optimization, this
> shouldn't cause any problems.
>
> In the ideal future, libvirt will eventually have XML describing
> EVERY file in the backing chain, with each file having a separate
> <seclabel> element. At that point, libvirt will be able to track
> more closely which files need a relabel attempt at shutdown. But
> until we reach that point, the single <seclabel> for the entire
> <disk> chain is treated as a hint - when a chain has only one
> file, then we know it is accurate; but if the chain has more than
> one file, we have to attempt relabel in spite of the attribute,
> in case part of the chain is local and SELinux mattered for that
> portion of the chain.
>
> * src/conf/domain_conf.h (_virSecurityDeviceLabelDef): Add new
> member.
> * src/conf/domain_conf.c (virSecurityDeviceLabelDefParseXML):
> Parse it, for live images only.
> (virSecurityDeviceLabelDefFormat): Output it.
> (virDomainDiskDefParseXML, virDomainChrSourceDefParseXML)
> (virDomainDiskSourceDefFormat, virDomainChrDefFormat)
> (virDomainDiskDefFormat): Pass flags on through.
> * src/security/security_selinux.c
> (virSecuritySELinuxRestoreSecurityImageLabelInt): Honor labelskip
> when possible.
> (virSecuritySELinuxSetSecurityFileLabel): Set labelskip, not
> norelabel, if labeling fails.
> * docs/formatdomain.html.in (seclabel): Document new xml.
> * docs/schemas/domaincommon.rng (devSeclabel): Allow it in RNG.
> * tests/qemuxml2argvdata/qemuxml2argv-seclabel-*-skiplabel.xml:
> * tests/qemuxml2argvdata/qemuxml2argv-seclabel-*-skiplabel.args:
> * tests/qemuxml2xmloutdata/qemuxml2xmlout-seclabel-*-skiplabel.xml:
> New test files.
> * tests/qemuxml2argvtest.c (mymain): Run the new tests.
> * tests/qemuxml2xmltest.c (mymain): Likewise.
>
> Signed-off-by: Eric Blake <eblake at redhat.com>
> ---
>
> docs/formatdomain.html.in | 6 ++-
> docs/schemas/domaincommon.rng | 27 +++++++------
> src/conf/domain_conf.c | 47 ++++++++++++++++------
> src/conf/domain_conf.h | 3 +-
> src/security/security_selinux.c | 10 ++++-
> .../qemuxml2argv-seclabel-dynamic-skiplabel.args | 5 +++
> .../qemuxml2argv-seclabel-dynamic-skiplabel.xml | 32 +++++++++++++++
> .../qemuxml2argv-seclabel-static-skiplabel.args | 5 +++
> .../qemuxml2argv-seclabel-static-skiplabel.xml | 33 +++++++++++++++
> tests/qemuxml2argvtest.c | 2 +
> .../qemuxml2xmlout-seclabel-dynamic-skiplabel.xml | 31 ++++++++++++++
> tests/qemuxml2xmltest.c | 8 ++--
> 12 files changed, 178 insertions(+), 31 deletions(-)
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-skiplabel.args
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-skiplabel.xml
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-skiplabel.args
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-skiplabel.xml
> create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-seclabel-dynamic-skiplabel.xml
>
> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> index 83d551a..cafa03f 100644
> --- a/docs/formatdomain.html.in
> +++ b/docs/formatdomain.html.in
> @@ -5024,7 +5024,11 @@ qemu-kvm -net nic,model=? /dev/null
> a <code>seclabel</code> element is attached to a specific path
> rather than the top-level domain assignment, only the
> attribute <code>relabel</code> or the
> - sub-element <code>label</code> are supported.
> + sub-element <code>label</code> are supported. Additionally,
> + <span class="since">since 1.1.2</span>, an output-only
> + element <code>labelskip</code> will be present for active
> + domains on disks where labeling was skipped due to the image
> + being on a file system that lacks security labeling.
> </p>
>
> <h2><a name="examples">Example configs</a></h2>
> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
> index ac807e6..dfcd61c 100644
> --- a/docs/schemas/domaincommon.rng
> +++ b/docs/schemas/domaincommon.rng
> @@ -152,34 +152,35 @@
> <define name="devSeclabel">
> <element name="seclabel">
> <!-- A per-device seclabel override is more limited, either
> - relabel=no or a <label> must be present. -->
> + relabel=no or a <label> must be present on input;
> + output also can include labelskip=yes. -->
> + <optional>
> + <attribute name='model'>
> + <text/>
> + </attribute>
> + </optional>
> <choice>
> <group>
> - <optional>
> - <attribute name='model'>
> - <text/>
> - </attribute>
> - </optional>
> <attribute name='relabel'>
> <value>no</value>
> </attribute>
> </group>
> <group>
> - <optional>
> - <attribute name='model'>
> - <text/>
> - </attribute>
> - </optional>
> + <attribute name='labelskip'>
> + <value>yes</value>
> + </attribute>
> + </group>
> + <group>
> <optional>
> <attribute name='relabel'>
> <value>yes</value>
> </attribute>
> </optional>
> - <zeroOrMore>
> + <oneOrMore>
> <element name='label'>
> <text/>
> </element>
> - </zeroOrMore>
> + </oneOrMore>
> </group>
> </choice>
> </element>
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index 7309877..759f686 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -4484,7 +4484,8 @@ static int
> virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
> size_t *nseclabels_rtn,
> virSecurityLabelDefPtr *vmSeclabels,
> - int nvmSeclabels, xmlXPathContextPtr ctxt)
> + int nvmSeclabels, xmlXPathContextPtr ctxt,
> + unsigned int flags)
> {
> virSecurityDeviceLabelDefPtr *seclabels;
> size_t nseclabels = 0;
> @@ -4492,7 +4493,7 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
> size_t i, j;
> xmlNodePtr *list = NULL;
> virSecurityLabelDefPtr vmDef = NULL;
> - char *model, *relabel, *label;
> + char *model, *relabel, *label, *labelskip;
>
> if ((n = virXPathNodeSet("./seclabel", ctxt, &list)) < 0)
> goto error;
> @@ -4547,6 +4548,13 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
> seclabels[i]->norelabel = false;
> }
>
> + /* labelskip is only parsed on live images */
> + labelskip = virXMLPropString(list[i], "labelskip");
> + seclabels[i]->labelskip = false;
> + if (labelskip && !(flags & VIR_DOMAIN_XML_INACTIVE))
> + seclabels[i]->labelskip = STREQ(labelskip, "yes");
> + VIR_FREE(labelskip);
> +
> ctxt->node = list[i];
> label = virXPathStringLimit("string(./label)",
> VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
> @@ -5208,7 +5216,8 @@ virDomainDiskDefParseXML(virDomainXMLOptionPtr xmlopt,
> &def->nseclabels,
> vmSeclabels,
> nvmSeclabels,
> - ctxt) < 0)
> + ctxt,
> + flags) < 0)
> goto error;
> ctxt->node = saved_node;
> }
> @@ -6884,7 +6893,8 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def,
> &chr_def->nseclabels,
> vmSeclabels,
> nvmSeclabels,
> - ctxt) < 0) {
> + ctxt,
> + flags) < 0) {
> ctxt->node = saved_node;
> goto error;
> }
> @@ -14018,14 +14028,23 @@ virSecurityLabelDefFormat(virBufferPtr buf, virSecurityLabelDefPtr def)
>
> static void
> virSecurityDeviceLabelDefFormat(virBufferPtr buf,
> - virSecurityDeviceLabelDefPtr def)
> + virSecurityDeviceLabelDefPtr def,
> + unsigned int flags)
> {
> + /* For offline output, skip elements that allow labels but have no
> + * label specified (possible if labelskip was ignored on input). */
> + if ((flags & VIR_DOMAIN_XML_INACTIVE) && !def->label && !def->norelabel)
> + return;
> +
> virBufferAddLit(buf, "<seclabel");
>
> if (def->model)
> virBufferAsprintf(buf, " model='%s'", def->model);
>
> - virBufferAsprintf(buf, " relabel='%s'", def->norelabel ? "no" : "yes");
> + if (def->labelskip)
> + virBufferAddLit(buf, " labelskip='yes'");
> + else
> + virBufferAsprintf(buf, " relabel='%s'", def->norelabel ? "no" : "yes");
>
> if (def->label) {
> virBufferAddLit(buf, ">\n");
> @@ -14100,7 +14119,8 @@ virDomainDiskBlockIoDefFormat(virBufferPtr buf,
>
> static int
> virDomainDiskSourceDefFormat(virBufferPtr buf,
> - virDomainDiskDefPtr def)
> + virDomainDiskDefPtr def,
> + unsigned int flags)
> {
> int n;
> const char *startupPolicy = virDomainStartupPolicyTypeToString(def->startupPolicy);
> @@ -14119,7 +14139,8 @@ virDomainDiskSourceDefFormat(virBufferPtr buf,
> virBufferAddLit(buf, ">\n");
> virBufferAdjustIndent(buf, 8);
> for (n = 0; n < def->nseclabels; n++)
> - virSecurityDeviceLabelDefFormat(buf, def->seclabels[n]);
> + virSecurityDeviceLabelDefFormat(buf, def->seclabels[n],
> + flags);
> virBufferAdjustIndent(buf, -8);
> virBufferAddLit(buf, " </source>\n");
> } else {
> @@ -14136,7 +14157,8 @@ virDomainDiskSourceDefFormat(virBufferPtr buf,
> virBufferAddLit(buf, ">\n");
> virBufferAdjustIndent(buf, 8);
> for (n = 0; n < def->nseclabels; n++)
> - virSecurityDeviceLabelDefFormat(buf, def->seclabels[n]);
> + virSecurityDeviceLabelDefFormat(buf, def->seclabels[n],
> + flags);
> virBufferAdjustIndent(buf, -8);
> virBufferAddLit(buf, " </source>\n");
> } else {
> @@ -14201,7 +14223,8 @@ virDomainDiskSourceDefFormat(virBufferPtr buf,
> virBufferAddLit(buf, ">\n");
> virBufferAdjustIndent(buf, 8);
> for (n = 0; n < def->nseclabels; n++)
> - virSecurityDeviceLabelDefFormat(buf, def->seclabels[n]);
> + virSecurityDeviceLabelDefFormat(buf, def->seclabels[n],
> + flags);
> virBufferAdjustIndent(buf, -8);
> virBufferAddLit(buf, " </source>\n");
> } else {
> @@ -14337,7 +14360,7 @@ virDomainDiskDefFormat(virBufferPtr buf,
> virBufferAddLit(buf, " </auth>\n");
> }
>
> - if (virDomainDiskSourceDefFormat(buf, def) < 0)
> + if (virDomainDiskSourceDefFormat(buf, def, flags) < 0)
> return -1;
> virDomainDiskGeometryDefFormat(buf, def);
> virDomainDiskBlockIoDefFormat(buf, def);
> @@ -15189,7 +15212,7 @@ virDomainChrDefFormat(virBufferPtr buf,
> if (def->seclabels && def->nseclabels > 0) {
> virBufferAdjustIndent(buf, 2);
> for (n = 0; n < def->nseclabels; n++)
> - virSecurityDeviceLabelDefFormat(buf, def->seclabels[n]);
> + virSecurityDeviceLabelDefFormat(buf, def->seclabels[n], flags);
> virBufferAdjustIndent(buf, -2);
> }
>
> diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
> index 3e118d6..500a5be 100644
> --- a/src/conf/domain_conf.h
> +++ b/src/conf/domain_conf.h
> @@ -343,7 +343,8 @@ typedef virSecurityDeviceLabelDef *virSecurityDeviceLabelDefPtr;
> struct _virSecurityDeviceLabelDef {
> char *model;
> char *label; /* image label string */
> - bool norelabel;
> + bool norelabel; /* true to skip label attempts */
> + bool labelskip; /* live-only; true if skipping failed label attempt */
> };
>
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index e3dce66a..b1372e6 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -1135,6 +1135,14 @@ virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
> if (seclabel->norelabel || (disk_seclabel && disk_seclabel->norelabel))
> return 0;
>
> + /* If labelskip is true and there are no backing files, then we
> + * know it is safe to skip the restore. FIXME - backing files should
> + * be tracked in domain XML, at which point labelskip should be a
> + * per-file attribute instead of a disk attribute. */
> + if (disk_seclabel && disk_seclabel->labelskip &&
> + !disk->backingChain)
> + return 0;
> +
> /* Don't restore labels on readoly/shared disks, because
> * other VMs may still be accessing these
> * Alternatively we could iterate over all running
> @@ -1219,7 +1227,7 @@ virSecuritySELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
> disk_seclabel = virDomainDiskDefGenSecurityLabelDef(SECURITY_SELINUX_NAME);
> if (!disk_seclabel)
> return -1;
> - disk_seclabel->norelabel = true;
> + disk_seclabel->labelskip = true;
> if (VIR_APPEND_ELEMENT(disk->seclabels, disk->nseclabels,
> disk_seclabel) < 0) {
> virSecurityDeviceLabelDefFree(disk_seclabel);
> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-skiplabel.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-skiplabel.args
> new file mode 100644
> index 0000000..892c6b5
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-skiplabel.args
> @@ -0,0 +1,5 @@
> +LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu \
> +-name QEMUGuest1 -S -M pc -m 214 -smp 1 -nographic -monitor \
> +unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb \
> +-hda /dev/HostVG/QEMUGuest1 \
> +-net none -serial none -parallel none
> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-skiplabel.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-skiplabel.xml
> new file mode 100644
> index 0000000..e3bc700
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-skiplabel.xml
> @@ -0,0 +1,32 @@
> +<domain type='qemu'>
> + <name>QEMUGuest1</name>
> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
> + <memory unit='KiB'>219100</memory>
> + <currentMemory unit='KiB'>219100</currentMemory>
> + <vcpu placement='static' cpuset='1-4,8-20,525'>1</vcpu>
> + <os>
> + <type arch='i686' machine='pc'>hvm</type>
> + <boot dev='hd'/>
> + </os>
> + <clock offset='utc'/>
> + <on_poweroff>destroy</on_poweroff>
> + <on_reboot>restart</on_reboot>
> + <on_crash>destroy</on_crash>
> + <devices>
> + <emulator>/usr/bin/qemu</emulator>
> + <disk type='block' device='disk'>
> + <source dev='/dev/HostVG/QEMUGuest1'>
> + <seclabel model='selinux' labelskip='yes'/>
> + </source>
> + <target dev='hda' bus='ide'/>
> + <address type='drive' controller='0' bus='0' target='0' unit='0'/>
> + </disk>
> + <controller type='usb' index='0'/>
> + <controller type='ide' index='0'/>
> + <controller type='pci' index='0' model='pci-root'/>
> + <memballoon model='virtio'/>
> + </devices>
> + <seclabel type='dynamic' model='selinux' relabel='yes'>
> + <baselabel>system_u:system_r:svirt_custom_t:s0</baselabel>
> + </seclabel>
> +</domain>
> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-skiplabel.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-skiplabel.args
> new file mode 100644
> index 0000000..892c6b5
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-skiplabel.args
> @@ -0,0 +1,5 @@
> +LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu \
> +-name QEMUGuest1 -S -M pc -m 214 -smp 1 -nographic -monitor \
> +unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb \
> +-hda /dev/HostVG/QEMUGuest1 \
> +-net none -serial none -parallel none
> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-skiplabel.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-skiplabel.xml
> new file mode 100644
> index 0000000..a743448
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-skiplabel.xml
> @@ -0,0 +1,33 @@
> +<domain type='qemu' id='1'>
> + <name>QEMUGuest1</name>
> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
> + <memory unit='KiB'>219100</memory>
> + <currentMemory unit='KiB'>219100</currentMemory>
> + <vcpu placement='static' cpuset='1-4,8-20,525'>1</vcpu>
> + <os>
> + <type arch='i686' machine='pc'>hvm</type>
> + <boot dev='hd'/>
> + </os>
> + <clock offset='utc'/>
> + <on_poweroff>destroy</on_poweroff>
> + <on_reboot>restart</on_reboot>
> + <on_crash>destroy</on_crash>
> + <devices>
> + <emulator>/usr/bin/qemu</emulator>
> + <disk type='block' device='disk'>
> + <source dev='/dev/HostVG/QEMUGuest1'>
> + <seclabel model='selinux' labelskip='yes'/>
> + </source>
> + <target dev='hda' bus='ide'/>
> + <address type='drive' controller='0' bus='0' target='0' unit='0'/>
> + </disk>
> + <controller type='usb' index='0'/>
> + <controller type='ide' index='0'/>
> + <controller type='pci' index='0' model='pci-root'/>
> + <memballoon model='virtio'/>
> + </devices>
> + <seclabel type='static' model='selinux' relabel='yes'>
> + <label>system_u:system_r:svirt_custom_t:s0:c192,c392</label>
> + <imagelabel>system_u:system_r:svirt_custom_t:s0:c192,c392</imagelabel>
> + </seclabel>
> +</domain>
> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
> index 679124e..09cc516 100644
> --- a/tests/qemuxml2argvtest.c
> +++ b/tests/qemuxml2argvtest.c
> @@ -923,8 +923,10 @@ mymain(void)
> DO_TEST("seclabel-dynamic", QEMU_CAPS_NAME);
> DO_TEST("seclabel-dynamic-baselabel", QEMU_CAPS_NAME);
> DO_TEST("seclabel-dynamic-override", QEMU_CAPS_NAME);
> + DO_TEST("seclabel-dynamic-skiplabel", QEMU_CAPS_NAME);
> DO_TEST("seclabel-static", QEMU_CAPS_NAME);
> DO_TEST("seclabel-static-relabel", QEMU_CAPS_NAME);
> + DO_TEST("seclabel-static-skiplabel", QEMU_CAPS_NAME);
> DO_TEST("seclabel-none", QEMU_CAPS_NAME);
>
> DO_TEST("pseries-basic",
> diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-seclabel-dynamic-skiplabel.xml b/tests/qemuxml2xmloutdata/qemuxml2xmlout-seclabel-dynamic-skiplabel.xml
> new file mode 100644
> index 0000000..0764691
> --- /dev/null
> +++ b/tests/qemuxml2xmloutdata/qemuxml2xmlout-seclabel-dynamic-skiplabel.xml
> @@ -0,0 +1,31 @@
> +<domain type='qemu'>
> + <name>QEMUGuest1</name>
> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
> + <memory unit='KiB'>219100</memory>
> + <currentMemory unit='KiB'>219100</currentMemory>
> + <vcpu placement='static' cpuset='1-4,8-20,525'>1</vcpu>
> + <os>
> + <type arch='i686' machine='pc'>hvm</type>
> + <boot dev='hd'/>
> + </os>
> + <clock offset='utc'/>
> + <on_poweroff>destroy</on_poweroff>
> + <on_reboot>restart</on_reboot>
> + <on_crash>destroy</on_crash>
> + <devices>
> + <emulator>/usr/bin/qemu</emulator>
> + <disk type='block' device='disk'>
> + <source dev='/dev/HostVG/QEMUGuest1'>
> + </source>
> + <target dev='hda' bus='ide'/>
> + <address type='drive' controller='0' bus='0' target='0' unit='0'/>
> + </disk>
> + <controller type='usb' index='0'/>
> + <controller type='ide' index='0'/>
> + <controller type='pci' index='0' model='pci-root'/>
> + <memballoon model='virtio'/>
> + </devices>
> + <seclabel type='dynamic' model='selinux' relabel='yes'>
> + <baselabel>system_u:system_r:svirt_custom_t:s0</baselabel>
> + </seclabel>
> +</domain>
> diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
> index 5c6730d..68fbdc5 100644
> --- a/tests/qemuxml2xmltest.c
> +++ b/tests/qemuxml2xmltest.c
> @@ -30,6 +30,7 @@ testCompareXMLToXMLFiles(const char *inxml, const char *outxml, bool live)
> char *actual = NULL;
> int ret = -1;
> virDomainDefPtr def = NULL;
> + unsigned int flags = live ? 0 : VIR_DOMAIN_XML_INACTIVE;
>
> if (virtTestLoadFile(inxml, &inXmlData) < 0)
> goto fail;
> @@ -37,11 +38,10 @@ testCompareXMLToXMLFiles(const char *inxml, const char *outxml, bool live)
> goto fail;
>
> if (!(def = virDomainDefParseString(inXmlData, driver.caps, driver.xmlopt,
> - QEMU_EXPECTED_VIRT_TYPES,
> - live ? 0 : VIR_DOMAIN_XML_INACTIVE)))
> + QEMU_EXPECTED_VIRT_TYPES, flags)))
> goto fail;
>
> - if (!(actual = virDomainDefFormat(def, VIR_DOMAIN_XML_SECURE)))
> + if (!(actual = virDomainDefFormat(def, VIR_DOMAIN_XML_SECURE | flags)))
> goto fail;
>
> if (STRNEQ(outXmlData, actual)) {
> @@ -257,7 +257,9 @@ mymain(void)
>
> DO_TEST_FULL("seclabel-dynamic-baselabel", false, WHEN_INACTIVE);
> DO_TEST_FULL("seclabel-dynamic-override", false, WHEN_INACTIVE);
> + DO_TEST_FULL("seclabel-dynamic-skiplabel", true, WHEN_INACTIVE);
> DO_TEST("seclabel-static");
> + DO_TEST_FULL("seclabel-static-skiplabel", false, WHEN_ACTIVE);
> DO_TEST("seclabel-none");
> DO_TEST("numad-static-vcpu-no-numatune");
> DO_TEST("disk-scsi-lun-passthrough-sgio");
>
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130819/287ab707/attachment-0001.sig>
More information about the libvir-list
mailing list