If a VM fails to start, we can't simply free the security label strings, we must call the domainReleaseSecurityLabel() method otherwise the reserved 'mcs' level will be leaked in SElinux * src/qemu/qemu_driver.c: Invoke domainReleaseSecurityLabel() when domain fails to start --- src/qemu/qemu_driver.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index b67abf1..6c66b22 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -2978,11 +2978,9 @@ cleanup: /* We jump here if we failed to start the VM for any reason * XXX investigate if we can kill this block and safely call * qemudShutdownVMDaemon even though no PID is running */ - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) { - VIR_FREE(vm->def->seclabel.model); - VIR_FREE(vm->def->seclabel.label); - VIR_FREE(vm->def->seclabel.imagelabel); - } + if (driver->securityDriver && + driver->securityDriver->domainReleaseSecurityLabel) + driver->securityDriver->domainReleaseSecurityLabel(conn, vm); qemuRemoveCgroup(conn, driver, vm, 0); if ((vm->def->ngraphics == 1) && vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC && -- 1.6.5.2 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list