On Wed, Jul 25, 2012 at 11:41:27AM +0200, Jiri Denemark wrote: > When an unconfined domain is begin started, it doesn't make any sense to > automatically relabel its disk images with the default label. Morever, > doing so would fail because the generated label would be generated > without the "s0" sensitivity (since mcs is NULL in this case). > --- > src/security/security_selinux.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c > index ca19b70..02808a4 100644 > --- a/src/security/security_selinux.c > +++ b/src/security/security_selinux.c > @@ -370,8 +370,13 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr, > goto cleanup; > } > > - if (!def->seclabel.norelabel) { > - def->seclabel.imagelabel = virSecuritySELinuxGenNewContext(data->file_context, mcs); > + /* Generating image label does not make any sense if the domain itself > + * will not be labeled. > + */ > + if (def->seclabel.type != VIR_DOMAIN_SECLABEL_NONE && > + !def->seclabel.norelabel) { > + def->seclabel.imagelabel = > + virSecuritySELinuxGenNewContext(data->file_context, mcs); > if (!def->seclabel.imagelabel) { > virReportError(VIR_ERR_INTERNAL_ERROR, > _("cannot generate selinux context for %s"), mcs); ACK, assuming all places in the file already handle the case of a imagelabel==NULL.