[libvirt] [PATCH v2 2/2] security: Don't add seclabel of type none if there's already a seclabel
Daniel P. Berrange
berrange at redhat.com
Thu Mar 28 09:16:10 UTC 2013
On Thu, Mar 21, 2013 at 04:35:11PM +0100, Michal Privoznik wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=923946
>
> The <seclabel type='none'/> should be added iff there is no other
> seclabel defined within a domain. This bug can be easily reproduced:
> 1) configure selinux seclabel for a domain
> 2) disable system's selinux and restart libvirtd
> 3) observe <seclabel type='none'/> being appended to a domain on its
> startup
> ---
> src/security/security_manager.c | 15 ++++++++++-----
> 1 file changed, 10 insertions(+), 5 deletions(-)
>
> diff --git a/src/security/security_manager.c b/src/security/security_manager.c
> index 5c2a95b..b55af69 100644
> --- a/src/security/security_manager.c
> +++ b/src/security/security_manager.c
> @@ -455,11 +455,16 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
> }
> }
>
> - if ((seclabel->type == VIR_DOMAIN_SECLABEL_NONE) &&
> - sec_managers[i]->requireConfined) {
> - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> - _("Unconfined guests are not allowed on this host"));
> - goto cleanup;
> + if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) {
> + if (sec_managers[i]->requireConfined) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> + _("Unconfined guests are not allowed on this host"));
> + goto cleanup;
> + } else if (vm->nseclabels && generated) {
> + VIR_DEBUG("Skipping auto generated seclabel of type none");
> + virSecurityLabelDefFree(seclabel);
> + continue;
> + }
> }
>
> if (!sec_managers[i]->drv->domainGenSecurityLabel) {
ACK
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list