On 09/04/2014 03:24 AM, Michal Privoznik wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1027096#c8
There are two ways in which security model can make it way into <seclabel/>. One is as the @model attribute, the second one is via security_driver knob in qemu.conf. Then, while parsing <seclabel/> several checks and fix ups of old, stale combinations are performed. However, iff @model is specified. They are not done in the latter case. So it's still possible to feed libvirt with senseless combinations (if qemu.conf is adjusted correctly).
A design choice that keeps on giving... maybe someday we'll be bug-free on all possible label scenarios.
One example of a seclabel that needs some adjustment (in case security_driver=none in qemu.conf) is:
<seclabel type='dynamic' relabel='yes'/>
The fixup code is copied from virSecurityLabelDefParseXML (covering the former case) into virSecurityLabelDefsParseXML (which handles the latter case).
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/conf/domain_conf.c | 7 +++++++ 1 file changed, 7 insertions(+)
ACK. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org