On Thu, Mar 21, 2013 at 04:35:11PM +0100, Michal Privoznik wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=923946
The <seclabel type='none'/> should be added iff there is no other seclabel defined within a domain. This bug can be easily reproduced: 1) configure selinux seclabel for a domain 2) disable system's selinux and restart libvirtd 3) observe <seclabel type='none'/> being appended to a domain on its startup --- src/security/security_manager.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 5c2a95b..b55af69 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -455,11 +455,16 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, } }
- if ((seclabel->type == VIR_DOMAIN_SECLABEL_NONE) && - sec_managers[i]->requireConfined) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("Unconfined guests are not allowed on this host")); - goto cleanup; + if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) { + if (sec_managers[i]->requireConfined) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Unconfined guests are not allowed on this host")); + goto cleanup; + } else if (vm->nseclabels && generated) { + VIR_DEBUG("Skipping auto generated seclabel of type none"); + virSecurityLabelDefFree(seclabel); + continue; + } }
if (!sec_managers[i]->drv->domainGenSecurityLabel) {
ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|