On Mon, Nov 21, 2016 at 9:03 AM, Guido Günther <agx@sigxcpu.org> wrote:

This should be shortened and clarified (see the other part of the
thread). IMHO the root cause is that we parse the active domain XML but
the live part of the seclabel is not filled in yet.

Ok, reasonable to keep the actual commit slimmed down after the discussion is done.

Will be shortened on the next revision.

I also have rewritten the steps to reproduce to be more straight forward.

Let me know if you would like those also out of the commit messages scope.

[...]

> + VIR_DOMAIN_DEF_PARSE_SKIP_ACTIVE_LABEL = 1 << 11,

/* skip parsing of seclabel */
VIR_DOMAIN_DEF_PARSE_SKIP_SECLABEL = 1 << 11,

is IMHO shorter and I would then change the code to skip the whole
seclabel parsing since it's of no need for virt-aa-helper.

I agree that this shorter naming is better.

Will do so on the next revision I submit later today.

Another possibility is to not introduce a new flag but filter out
seclabels in virt-aa-helper before parsing the XML without cluttering
domain_conf.c even more for this special case.

I liked the idea but failed to implement it this way - I guess due to my lack of experience on libxml (or virXML) functions.

A version that felt to be "almost there" based on an Xpath can be found here: http://paste.ubuntu.com/23511691/

Most of the complexity is the back and forth of conversion to get it back into the string and not the actual stripping.

If it really is close, feedback is welcome - currently it just doesn't strip anything while the same xpath string does work as intended on xmllint.