[libvirt] [PATCH v1 21/23] security_dac: Restore original owner more often
Peter Krempa
pkrempa at redhat.com
Fri Oct 16 07:55:27 UTC 2015
On Mon, Oct 12, 2015 at 12:26:06 +0200, Michal Privoznik wrote:
> Now that we know what label we should restore and we do have
> reference counter to each seclabel, we restore the original
> seclabel only after the last domain is torn down. Therefore, we
> can safely try to restore labels even for RO or shared disks. The
> reference counter will take the care of everything.
>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
> src/security/security_dac.c | 8 --------
> 1 file changed, 8 deletions(-)
>
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index 5c99dfa..59b16ef 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -561,14 +561,6 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
> if (!priv->dynamicOwnership)
> return 0;
>
> - /* Don't restore labels on readoly/shared disks, because other VMs may
> - * still be accessing these. Alternatively we could iterate over all
> - * running domains and try to figure out if it is in use, but this would
> - * not work for clustered filesystems, since we can't see running VMs using
> - * the file on other nodes. Safest bet is thus to skip the restore step. */
> - if (src->readonly || src->shared)
> - return 0;
> -
This will regress if you use the 'nop' driver for "storing" locks but
still expect libvirt not to break your labelling.
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20151016/292c9c96/attachment-0001.sig>
More information about the libvir-list
mailing list