Re: [libvirt] [PATCH] security: Don't add seclabel of type none if there's already a seclabel

https://bugzilla.redhat.com/show_bug.cgi?id=923946 The <seclabel type='none'/> should be added iff there is no other seclabel defined within a domain. This bug can be easily reproduced: 1) configure selinux seclabel for a domain 2) disable system's selinux and restart libvirtd 3) observe <seclabel type='none'/> being appended to a domain on its startup --- src/security/security_manager.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/src/security/security_manager.c b/src/security/security_manager.c index c621366..26262ed 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -425,7 +425,7 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm) { int rc = 0; - size_t i; + size_t i, j, nsec_managers; virSecurityManagerPtr* sec_managers = NULL; virSecurityLabelDefPtr seclabel; @@ -435,6 +435,26 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, if ((sec_managers = virSecurityManagerGetNested(mgr)) == NULL) return -1; + for (nsec_managers = 0; sec_managers[nsec_managers]; nsec_managers++) + ; + + for (i = 0; sec_managers[i]; i++) { + if (STRNEQ(sec_managers[i]->drv->name, "none")) + continue; + + /* If there's a seclabel defined for a @vm other than NOP, + * we don't want to define seclabel of type 'none' */ + for (j = 0; i < vm->nseclabels; j++) { + if (vm->seclabels[j]->type == VIR_DOMAIN_SECLABEL_NONE) + continue; + + VIR_DEBUG("Skipping NOP security manager"); + memmove(sec_managers + i, sec_managers + i + 1, + (nsec_managers - i + 1) * sizeof(sec_managers)); + break; + } + }

+ virObjectLock(mgr); for (i = 0; sec_managers[i]; i++) { seclabel = virDomainDefGetSecurityLabelDef(vm,