From: Michal Privoznik <mprivozn@redhat.com> In few instances, after virDomainDefGetSecurityLabelDef(SECURITY_SELINUX_NAME) was called, we take the returned secdef and compare secdef->model against SECURITY_SELINUX_NAME. This makes no sense because virDomainDefGetSecurityLabelDef() has already done this comparison. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/security_selinux.c | 51 --------------------------------- 1 file changed, 51 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 402e0b7737..61a47f23c4 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -899,14 +899,6 @@ virSecuritySELinuxGenLabel(virSecurityManager *mgr, return rc; } - if (seclabel->model && - STRNEQ(seclabel->model, SECURITY_SELINUX_NAME)) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("security label model %1$s is not supported with selinux"), - seclabel->model); - return rc; - } - VIR_DEBUG("type=%d", seclabel->type); switch (seclabel->type) { @@ -3020,13 +3012,6 @@ virSecuritySELinuxVerify(virSecurityManager *mgr G_GNUC_UNUSED, if (secdef == NULL) return 0; - if (STRNEQ(SECURITY_SELINUX_NAME, secdef->model)) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("security label driver mismatch: '%1$s' model configured for domain, but hypervisor driver is '%2$s'."), - secdef->model, SECURITY_SELINUX_NAME); - return -1; - } - if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) { if (security_check_context(secdef->label) != 0) { virReportError(VIR_ERR_XML_ERROR, @@ -3049,13 +3034,6 @@ virSecuritySELinuxSetProcessLabel(virSecurityManager *mgr G_GNUC_UNUSED, return 0; VIR_DEBUG("label=%s", secdef->label); - if (STRNEQ(SECURITY_SELINUX_NAME, secdef->model)) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("security label driver mismatch: '%1$s' model configured for domain, but hypervisor driver is '%2$s'."), - secdef->model, SECURITY_SELINUX_NAME); - if (security_getenforce() == 1) - return -1; - } if (setexeccon_raw(secdef->label) == -1) { virReportSystemError(errno, @@ -3084,13 +3062,6 @@ virSecuritySELinuxSetChildProcessLabel(virSecurityManager *mgr G_GNUC_UNUSED, return 0; VIR_DEBUG("label=%s", secdef->label); - if (STRNEQ(SECURITY_SELINUX_NAME, secdef->model)) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("security label driver mismatch: '%1$s' model configured for domain, but hypervisor driver is '%2$s'."), - secdef->model, SECURITY_SELINUX_NAME); - if (security_getenforce() == 1) - return -1; - } /* pick either the common label used by most binaries exec'ed by * libvirt, or the specific label of this binary. @@ -3132,13 +3103,6 @@ virSecuritySELinuxSetDaemonSocketLabel(virSecurityManager *mgr G_GNUC_UNUSED, if (!secdef || !secdef->label) return 0; - if (STRNEQ(SECURITY_SELINUX_NAME, secdef->model)) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("security label driver mismatch: '%1$s' model configured for domain, but hypervisor driver is '%2$s'."), - secdef->model, SECURITY_SELINUX_NAME); - goto error; - } - if (getcon_raw(&scon) == -1) { virReportSystemError(errno, _("unable to get current process context '%1$s'"), @@ -3175,13 +3139,6 @@ virSecuritySELinuxSetSocketLabel(virSecurityManager *mgr G_GNUC_UNUSED, if (!secdef || !secdef->label) return 0; - if (STRNEQ(SECURITY_SELINUX_NAME, secdef->model)) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("security label driver mismatch: '%1$s' model configured for domain, but hypervisor driver is '%2$s'."), - secdef->model, SECURITY_SELINUX_NAME); - goto error; - } - VIR_DEBUG("Setting VM %s socket context %s", vm->name, secdef->label); if (setsockcreatecon_raw(secdef->label) == -1) { @@ -3211,14 +3168,6 @@ virSecuritySELinuxClearSocketLabel(virSecurityManager *mgr G_GNUC_UNUSED, if (!secdef || !secdef->label) return 0; - if (STRNEQ(SECURITY_SELINUX_NAME, secdef->model)) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("security label driver mismatch: '%1$s' model configured for domain, but hypervisor driver is '%2$s'."), - secdef->model, SECURITY_SELINUX_NAME); - if (security_getenforce() == 1) - return -1; - } - if (setsockcreatecon_raw(NULL) == -1) { virReportSystemError(errno, _("unable to clear socket security context '%1$s'"), -- 2.49.1

From: Michal Privoznik <mprivozn@redhat.com> In few instances, after virDomainDefGetSecurityLabelDef(SECURITY_APPARMOR_NAME) was called, we take the returned secdef and compare secdef->model against SECURITY_APPARMOR_NAME. This makes no sense because virDomainDefGetSecurityLabelDef() has already done this comparison. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/security_apparmor.c | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 40907c9364..c7412a76c0 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -520,14 +520,6 @@ AppArmorSetSecurityProcessLabel(virSecurityManager *mgr G_GNUC_UNUSED, if ((profile_name = get_profile_name(def)) == NULL) return -1; - if (STRNEQ(SECURITY_APPARMOR_NAME, secdef->model)) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("security label driver mismatch: \'%1$s\' model configured for domain, but hypervisor driver is \'%2$s\'."), - secdef->model, SECURITY_APPARMOR_NAME); - if (use_apparmor() > 0) - return -1; - } - VIR_DEBUG("Changing AppArmor profile to %s", profile_name); if (aa_change_profile(profile_name) < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", @@ -557,14 +549,6 @@ AppArmorSetSecurityChildProcessLabel(virSecurityManager *mgr G_GNUC_UNUSED, if (!secdef || !secdef->label) return 0; - if (STRNEQ(SECURITY_APPARMOR_NAME, secdef->model)) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("security label driver mismatch: \'%1$s\' model configured for domain, but hypervisor driver is \'%2$s\'."), - secdef->model, SECURITY_APPARMOR_NAME); - if (use_apparmor() > 0) - return -1; - } - if ((profile_name = get_profile_name(def)) == NULL) return -1; -- 2.49.1