On Mon, Oct 12, 2015 at 12:26:06 +0200, Michal Privoznik wrote: > Now that we know what label we should restore and we do have > reference counter to each seclabel, we restore the original > seclabel only after the last domain is torn down. Therefore, we > can safely try to restore labels even for RO or shared disks. The > reference counter will take the care of everything. > > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > --- > src/security/security_dac.c | 8 -------- > 1 file changed, 8 deletions(-) > > diff --git a/src/security/security_dac.c b/src/security/security_dac.c > index 5c99dfa..59b16ef 100644 > --- a/src/security/security_dac.c > +++ b/src/security/security_dac.c > @@ -561,14 +561,6 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr, > if (!priv->dynamicOwnership) > return 0; > > - /* Don't restore labels on readoly/shared disks, because other VMs may > - * still be accessing these. Alternatively we could iterate over all > - * running domains and try to figure out if it is in use, but this would > - * not work for clustered filesystems, since we can't see running VMs using > - * the file on other nodes. Safest bet is thus to skip the restore step. */ > - if (src->readonly || src->shared) > - return 0; > - This will regress if you use the 'nop' driver for "storing" locks but still expect libvirt not to break your labelling. Peter
Attachment:
signature.asc
Description: Digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list