Kernel/initrd files are essentially read-only shareable images and thus should be handled in the same way. We already use the appropriate label for kernel/initrd files when starting a domain, but when a domain gets destroyed we would remove the labels which would make other running domains using the same files very unhappy. https://bugzilla.redhat.com/show_bug.cgi?id=921135 Signed-off-by: Jiri Denemark <jdenemar@xxxxxxxxxx> --- src/security/security_dac.c | 8 -------- src/security/security_selinux.c | 8 -------- 2 files changed, 16 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 80709fe..378b922 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1128,14 +1128,6 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, virSecurityDACRestoreFileLabel(priv, def->os.loader->nvram) < 0) rc = -1; - if (def->os.kernel && - virSecurityDACRestoreFileLabel(priv, def->os.kernel) < 0) - rc = -1; - - if (def->os.initrd && - virSecurityDACRestoreFileLabel(priv, def->os.initrd) < 0) - rc = -1; - if (def->os.dtb && virSecurityDACRestoreFileLabel(priv, def->os.dtb) < 0) rc = -1; diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 721c451..475cdbc 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2034,14 +2034,6 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr, virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram) < 0) rc = -1; - if (def->os.kernel && - virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel) < 0) - rc = -1; - - if (def->os.initrd && - virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd) < 0) - rc = -1; - if (def->os.dtb && virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb) < 0) rc = -1; -- 2.7.0 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list