On 10.06.2014 13:42, Shivaprasad G Bhat wrote: > > The problem is libvirt kills the guests during libvirt restart if more > than > guest has security type as none. This is because, libvirt as part of > guest- > reconnect tries to reserve the security labels. In case of type=none, the > range > of security context happen to be same for several guests. During > reservation, > the second attempt to reserve the same range fails and the Guests would be > killed. The fix is to avoid reserving labels for type = none during > libvirt > restart. I think the major point is, that for type=none libvirt (according to the docs) should not generate seclabel at all (either for given security model or for all models). I'd expect such explanation in commit message. > > Signed-off-by: Shivaprasad G Bhat <sbhat(a)linux.vnet.ibm.com&gt; > --- > src/security/security_selinux.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/src/security/security_selinux.c > b/src/security/security_selinux.c > index 008c58c..2f8a7f2 100644 > --- a/src/security/security_selinux.c > +++ b/src/security/security_selinux.c > @@ -739,7 +739,8 @@ > virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr, > virSecurityLabelDefPtr seclabel; > > seclabel = virDomainDefGetSecurityLabelDef(def, > SECURITY_SELINUX_NAME); > - if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC) > + if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC || > + seclabel->type == VIR_DOMAIN_SECLABEL_NONE) While technically this is okay, I find it nicer if the three conditions are on separate lines. But maybe I'm too picky O:-) > return 0; > > if (getpidcon_raw(pid, &pctx) == -1) { > I feel bad demanding v2, but the commit message needs fixing. But hey - you're on the right track! Michal