A device tree binary file specified by /domain/os/dtb element is a read-only resource similar to kernel and initrd files. We shouldn't restore its label when destroying a domain to avoid breaking other domains configure with the same device tree. Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com&gt; --- src/security/security_dac.c | 4 ---- src/security/security_selinux.c | 4 ---- 2 files changed, 8 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 378b922..a09aba5 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1128,10 +1128,6 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, virSecurityDACRestoreFileLabel(priv, def->os.loader->nvram) < 0) rc = -1; - if (def->os.dtb && - virSecurityDACRestoreFileLabel(priv, def->os.dtb) < 0) - rc = -1; - return rc; } diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 475cdbc..9e98635 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2034,10 +2034,6 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr, virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram) < 0) rc = -1; - if (def->os.dtb && - virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb) < 0) - rc = -1; - return rc; } -- 2.7.0