Ján Tomko wrote:
On 04/04/2014 02:34 PM, Michal Privoznik wrote:
[...]
src/security/security_dac.c | 92 +++++++++++++++++++++++++++++++++++---------- 1 file changed, 73 insertions(+), 19 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 8835d49..f15a0e9 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -286,7 +286,7 @@ virSecurityDACRestoreSecurityFileLabel(const char *path)
static int -virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED, +virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk, const char *path, size_t depth ATTRIBUTE_UNUSED, void *opaque) @@ -295,11 +295,23 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED, virSecurityManagerPtr mgr = cbdata->manager; virSecurityLabelDefPtr secdef = cbdata->secdef; virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityDeviceLabelDefPtr disk_seclabel; uid_t user; gid_t group;
- if (virSecurityDACGetImageIds(secdef, priv, &user, &group) < 0) - return -1; + disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk, + SECURITY_DAC_NAME); + + if (disk_seclabel && disk_seclabel->norelabel) + return 0;
What if the domain label has relabel='no', but the disk label has relabel='yes'?
Seems that configuration is not valid. When trying it, I get error: XML error: label overrides require relabeling to be enabled at the domain level Regards, Jim