[libvirt] [PATCH v1 21/23] security_dac: Restore original owner more often

Michal Privoznik mprivozn at redhat.com
Mon Oct 12 10:26:06 UTC 2015

Now that we know what label we should restore and we do have
reference counter to each seclabel, we restore the original
seclabel only after the last domain is torn down. Therefore, we
can safely try to restore labels even for RO or shared disks. The
reference counter will take the care of everything.

Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
 src/security/security_dac.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 5c99dfa..59b16ef 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -561,14 +561,6 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
     if (!priv->dynamicOwnership)
         return 0;
-    /* Don't restore labels on readoly/shared disks, because other VMs may
-     * still be accessing these. Alternatively we could iterate over all
-     * running domains and try to figure out if it is in use, but this would
-     * not work for clustered filesystems, since we can't see running VMs using
-     * the file on other nodes. Safest bet is thus to skip the restore step. */
-    if (src->readonly || src->shared)
-        return 0;
     secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
     if (secdef && !secdef->relabel)
         return 0;

More information about the libvir-list mailing list