Re: [PATCH] conf: Reject invalid device's <seclabel relabel='yes'/> with no <label/>

We allow (some) domain devices to have a different <seclabel/> than the top level domain one (this is mostly to allow access to a resource for multiple domains). Now, we do couple of sanity checks for such <seclabel/>, e.g. when the <label/> is specified, but '@relabel' is set to no. But what we are missing is the opposite: then '@relabel' is set, but no <label/> was provided.

Our schema already denies such combination. Make our parser behave the same. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2160356 Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- src/conf/domain_conf.c | 14 +++++++- .../seclabel-device-relabel-invalid.err | 1 + .../seclabel-device-relabel-invalid.xml | 35 +++++++++++++++++++ tests/qemuxml2argvtest.c | 1 + 4 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 tests/qemuxml2argvdata/seclabel-device-relabel-invalid.err create mode 100644 tests/qemuxml2argvdata/seclabel-device-relabel-invalid.xml