[libvirt] [PATCH] security: Do not restore labels on device tree binary
A device tree binary file specified by /domain/os/dtb element is a
read-only resource similar to kernel and initrd files. We shouldn't
restore its label when destroying a domain to avoid breaking other
domains configure with the same device tree.
Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
---
src/security/security_dac.c | 4 ----
src/security/security_selinux.c | 4 ----
2 files changed, 8 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 378b922..a09aba5 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1128,10 +1128,6 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
virSecurityDACRestoreFileLabel(priv, def->os.loader->nvram) < 0)
rc = -1;
- if (def->os.dtb &&
- virSecurityDACRestoreFileLabel(priv, def->os.dtb) < 0)
- rc = -1;
-
return rc;
}
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 475cdbc..9e98635 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2034,10 +2034,6 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
rc = -1;
- if (def->os.dtb &&
- virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb) < 0)
- rc = -1;
-
return rc;
}
--
2.7.0