On 05/16/2014 06:16 AM, Jim Fehlig wrote:
The DAC driver ignores the relabel='no' attribute in chardev config
<serial type='file'> <source path='/tmp/jim/test.file'> <seclabel model='dac' relabel='no'/> </source> <target port='0'/> </serial>
This patch avoids labeling chardevs when relabel='no' is specified.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- src/security/security_dac.c | 65 ++++++++++++++++++++++++++++++++------------- 1 file changed, 46 insertions(+), 19 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 4434cd0..20f349f 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -705,25 +707,35 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
- if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL)) - return -1; + if (dev) + chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev, + SECURITY_DAC_NAME);
A check for seclabel->norelabel and chr_seclabel->norelabel is missing here.
- switch ((enum virDomainChrType) dev->type) { + if (chr_seclabel && chr_seclabel->label) { + if (virParseOwnershipIds(chr_seclabel->label, &user, &group) < 0) + return -1; + } else { + if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0) + return -1; + } + + switch ((enum virDomainChrType) dev_source->type) { case VIR_DOMAIN_CHR_TYPE_DEV: case VIR_DOMAIN_CHR_TYPE_FILE:
Jan