If a VM fails to start, we can't simply free the security label
strings, we must call the domainReleaseSecurityLabel() method
otherwise the reserved 'mcs' level will be leaked in SElinux
* src/qemu/qemu_driver.c: Invoke domainReleaseSecurityLabel()
when domain fails to start
---
src/qemu/qemu_driver.c | 8 +++-----
1 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index b67abf1..6c66b22 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -2978,11 +2978,9 @@ cleanup:
/* We jump here if we failed to start the VM for any reason
* XXX investigate if we can kill this block and safely call
* qemudShutdownVMDaemon even though no PID is running */
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
- VIR_FREE(vm->def->seclabel.model);
- VIR_FREE(vm->def->seclabel.label);
- VIR_FREE(vm->def->seclabel.imagelabel);
- }
+ if (driver->securityDriver &&
+ driver->securityDriver->domainReleaseSecurityLabel)
+ driver->securityDriver->domainReleaseSecurityLabel(conn, vm);
qemuRemoveCgroup(conn, driver, vm, 0);
if ((vm->def->ngraphics == 1) &&
vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC &&
--
1.6.5.2
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list