Re: [libvirt] [PATCHv2 2/2] security_dac: Honor norelabel attribute
Ján Tomko wrote:
On 04/04/2014 02:34 PM, Michal Privoznik wrote:
[...]
> src/security/security_dac.c | 92
+++++++++++++++++++++++++++++++++++----------
> 1 file changed, 73 insertions(+), 19 deletions(-)
>
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index 8835d49..f15a0e9 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -286,7 +286,7 @@ virSecurityDACRestoreSecurityFileLabel(const char *path)
>
>
> static int
> -virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
> +virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk,
> const char *path,
> size_t depth ATTRIBUTE_UNUSED,
> void *opaque)
> @@ -295,11 +295,23 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk
ATTRIBUTE_UNUSED,
> virSecurityManagerPtr mgr = cbdata->manager;
> virSecurityLabelDefPtr secdef = cbdata->secdef;
> virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> + virSecurityDeviceLabelDefPtr disk_seclabel;
> uid_t user;
> gid_t group;
>
> - if (virSecurityDACGetImageIds(secdef, priv, &user, &group) < 0)
> - return -1;
> + disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk,
> + SECURITY_DAC_NAME);
> +
> + if (disk_seclabel && disk_seclabel->norelabel)
> + return 0;
>
What if the domain label has relabel='no', but the disk label has
relabel='yes'?
Seems that configuration is not valid. When trying it, I get
error: XML error: label overrides require relabeling to be enabled at
the domain level
Regards,
Jim