[libvirt] [PATCHv2 2/2] security_dac: Honor norelabel attribute
Jim Fehlig
jfehlig at suse.com
Fri May 16 04:23:06 UTC 2014
Ján Tomko wrote:
> On 04/04/2014 02:34 PM, Michal Privoznik wrote:
>
[...]
>> src/security/security_dac.c | 92 +++++++++++++++++++++++++++++++++++----------
>> 1 file changed, 73 insertions(+), 19 deletions(-)
>>
>> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
>> index 8835d49..f15a0e9 100644
>> --- a/src/security/security_dac.c
>> +++ b/src/security/security_dac.c
>> @@ -286,7 +286,7 @@ virSecurityDACRestoreSecurityFileLabel(const char *path)
>>
>>
>> static int
>> -virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
>> +virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk,
>> const char *path,
>> size_t depth ATTRIBUTE_UNUSED,
>> void *opaque)
>> @@ -295,11 +295,23 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
>> virSecurityManagerPtr mgr = cbdata->manager;
>> virSecurityLabelDefPtr secdef = cbdata->secdef;
>> virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
>> + virSecurityDeviceLabelDefPtr disk_seclabel;
>> uid_t user;
>> gid_t group;
>>
>> - if (virSecurityDACGetImageIds(secdef, priv, &user, &group) < 0)
>> - return -1;
>> + disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk,
>> + SECURITY_DAC_NAME);
>> +
>> + if (disk_seclabel && disk_seclabel->norelabel)
>> + return 0;
>>
>
> What if the domain label has relabel='no', but the disk label has relabel='yes'?
>
Seems that configuration is not valid. When trying it, I get
error: XML error: label overrides require relabeling to be enabled at
the domain level
Regards,
Jim
More information about the libvir-list
mailing list