Now that we know what label we should restore and we do have
reference counter to each seclabel, we restore the original
seclabel only after the last domain is torn down. Therefore, we
can safely try to restore labels even for RO or shared disks. The
reference counter will take the care of everything.
Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
---
src/security/security_dac.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 5c99dfa..59b16ef 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -561,14 +561,6 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
if (!priv->dynamicOwnership)
return 0;
- /* Don't restore labels on readoly/shared disks, because other VMs may
- * still be accessing these. Alternatively we could iterate over all
- * running domains and try to figure out if it is in use, but this would
- * not work for clustered filesystems, since we can't see running VMs using
- * the file on other nodes. Safest bet is thus to skip the restore step. */
- if (src->readonly || src->shared)
- return 0;
-
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
if (secdef && !secdef->relabel)
return 0;
--
2.4.9
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list