On 08/13/2013 08:11 AM, Daniel P. Berrange wrote:
On Mon, Aug 12, 2013 at 10:19:47PM -0600, Eric Blake wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=924153
Commit 904e05a2 (v0.9.9) added a per-<disk> seclabel element with an attribute relabel='no' in order to try and minimize the impact of shutdown delays when an NFS server disappears. The idea was that if a disk is on NFS and can't be labeled in the first place, there is no need to attempt the (no-op) relabel on domain shutdown. Unfortunately, the way this was implemented was by modifying the domain XML so that the optimization would survive libvirtd restart, but in a way that is indistinguishable from an explicit user setting. Furthermore, once the setting is turned on, libvirt avoids attempts at labeling, even for operations like snapshot or blockcopy where the chain is being extended or pivoted onto non-NFS, where SELinux labeling is once again possible. As a result, it was impossible to do a blockcopy to pivot from an NFS image file onto a local file.
The changes look reasonable, but I'd be alot happier if the securityselinuxlabeltest.c was covering this scenario. We already have that test using an LD_PRELOAD hack to mock the selinux APIs. It ought to be possible to extend it to return the same errno conditions you'd see on NFS, when given certain filenames, to allow this code to be validated.
Okay, I'll work on a followup patch to do that. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org