[PATCH 2/5] security_selinux: Drop needless checks for seclabel->model == "selinux"

Wednesday, 23 July 2025

From: Michal Privoznik <mprivozn(a)redhat.com&gt;

In few instances, after
virDomainDefGetSecurityLabelDef(SECURITY_SELINUX_NAME) was
called, we take the returned secdef and compare secdef->model
against SECURITY_SELINUX_NAME. This makes no sense because
virDomainDefGetSecurityLabelDef() has already done this
comparison.

Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt;
---
 src/security/security_selinux.c | 51 ---------------------------------
 1 file changed, 51 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 402e0b7737..61a47f23c4 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -899,14 +899,6 @@ virSecuritySELinuxGenLabel(virSecurityManager *mgr,
         return rc;
     }
 
-    if (seclabel->model &&
-        STRNEQ(seclabel->model, SECURITY_SELINUX_NAME)) {
-        virReportError(VIR_ERR_INTERNAL_ERROR,
-                       _("security label model %1$s is not supported with
selinux"),
-                       seclabel->model);
-        return rc;
-    }
-
     VIR_DEBUG("type=%d", seclabel->type);
 
     switch (seclabel->type) {
@@ -3020,13 +3012,6 @@ virSecuritySELinuxVerify(virSecurityManager *mgr G_GNUC_UNUSED,
     if (secdef == NULL)
         return 0;
 
-    if (STRNEQ(SECURITY_SELINUX_NAME, secdef->model)) {
-        virReportError(VIR_ERR_INTERNAL_ERROR,
-                       _("security label driver mismatch: '%1$s' model
configured for domain, but hypervisor driver is '%2$s'."),
-                       secdef->model, SECURITY_SELINUX_NAME);
-        return -1;
-    }
-
     if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
         if (security_check_context(secdef->label) != 0) {
             virReportError(VIR_ERR_XML_ERROR,
@@ -3049,13 +3034,6 @@ virSecuritySELinuxSetProcessLabel(virSecurityManager *mgr
G_GNUC_UNUSED,
         return 0;
 
     VIR_DEBUG("label=%s", secdef->label);
-    if (STRNEQ(SECURITY_SELINUX_NAME, secdef->model)) {
-        virReportError(VIR_ERR_INTERNAL_ERROR,
-                       _("security label driver mismatch: '%1$s' model
configured for domain, but hypervisor driver is '%2$s'."),
-                       secdef->model, SECURITY_SELINUX_NAME);
-        if (security_getenforce() == 1)
-            return -1;
-    }
 
     if (setexeccon_raw(secdef->label) == -1) {
         virReportSystemError(errno,
@@ -3084,13 +3062,6 @@ virSecuritySELinuxSetChildProcessLabel(virSecurityManager *mgr
G_GNUC_UNUSED,
         return 0;
 
     VIR_DEBUG("label=%s", secdef->label);
-    if (STRNEQ(SECURITY_SELINUX_NAME, secdef->model)) {
-        virReportError(VIR_ERR_INTERNAL_ERROR,
-                       _("security label driver mismatch: '%1$s' model
configured for domain, but hypervisor driver is '%2$s'."),
-                       secdef->model, SECURITY_SELINUX_NAME);
-        if (security_getenforce() == 1)
-            return -1;
-    }
 
     /* pick either the common label used by most binaries exec'ed by
      * libvirt, or the specific label of this binary.
@@ -3132,13 +3103,6 @@ virSecuritySELinuxSetDaemonSocketLabel(virSecurityManager *mgr
G_GNUC_UNUSED,
     if (!secdef || !secdef->label)
         return 0;
 
-    if (STRNEQ(SECURITY_SELINUX_NAME, secdef->model)) {
-        virReportError(VIR_ERR_INTERNAL_ERROR,
-                       _("security label driver mismatch: '%1$s' model
configured for domain, but hypervisor driver is '%2$s'."),
-                       secdef->model, SECURITY_SELINUX_NAME);
-        goto error;
-    }
-
     if (getcon_raw(&scon) == -1) {
         virReportSystemError(errno,
                              _("unable to get current process context
'%1$s'"),
@@ -3175,13 +3139,6 @@ virSecuritySELinuxSetSocketLabel(virSecurityManager *mgr
G_GNUC_UNUSED,
     if (!secdef || !secdef->label)
         return 0;
 
-    if (STRNEQ(SECURITY_SELINUX_NAME, secdef->model)) {
-        virReportError(VIR_ERR_INTERNAL_ERROR,
-                       _("security label driver mismatch: '%1$s' model
configured for domain, but hypervisor driver is '%2$s'."),
-                       secdef->model, SECURITY_SELINUX_NAME);
-        goto error;
-    }
-
     VIR_DEBUG("Setting VM %s socket context %s",
               vm->name, secdef->label);
     if (setsockcreatecon_raw(secdef->label) == -1) {
@@ -3211,14 +3168,6 @@ virSecuritySELinuxClearSocketLabel(virSecurityManager *mgr
G_GNUC_UNUSED,
     if (!secdef || !secdef->label)
         return 0;
 
-    if (STRNEQ(SECURITY_SELINUX_NAME, secdef->model)) {
-        virReportError(VIR_ERR_INTERNAL_ERROR,
-                       _("security label driver mismatch: '%1$s' model
configured for domain, but hypervisor driver is '%2$s'."),
-                       secdef->model, SECURITY_SELINUX_NAME);
-        if (security_getenforce() == 1)
-            return -1;
-    }
-
     if (setsockcreatecon_raw(NULL) == -1) {
         virReportSystemError(errno,
                              _("unable to clear socket security context
'%1$s'"),
-- 
2.49.1

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[PATCH 2/5] security_selinux: Drop needless checks for seclabel->model == "selinux"