Ján Tomko wrote:
On 05/16/2014 06:16 AM, Jim Fehlig wrote:
> The DAC driver ignores the relabel='no' attribute in chardev config
>
> <serial type='file'>
> <source path='/tmp/jim/test.file'>
> <seclabel model='dac' relabel='no'/>
> </source>
> <target port='0'/>
> </serial>
>
> This patch avoids labeling chardevs when relabel='no' is specified.
>
> Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
> Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
> ---
> src/security/security_dac.c | 65 ++++++++++++++++++++++++++++++++-------------
> 1 file changed, 46 insertions(+), 19 deletions(-)
>
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index 4434cd0..20f349f 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -705,25 +707,35 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
>
> seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
>
> - if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL))
> - return -1;
> + if (dev)
> + chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
> + SECURITY_DAC_NAME);
>
A check for seclabel->norelabel and chr_seclabel->norelabel is missing here.
virSecurityDACSetChardevLabel() is only called internally, and in all
cases via virSecurityDACSetSecurityAllLabel(), which already checks for
seclabel->norelabel. But you are right about the missing check for
chr_seclabel->norelabel. I added it to the patch before pushing.
Regards,
Jim