If the primary security driver (SELinux/AppArmour) was disabled
then the secondary QEMU DAC security driver was also disabled.
This is mistaken, because the latter must be active at all times
* src/qemu/qemu_driver.c: Ensure DAC driver is always active
---
src/qemu/qemu_driver.c | 22 ++++++++++++----------
1 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 16e9b56..a9313e7 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -897,26 +897,28 @@ qemudSecurityInit(struct qemud_driver *qemud_drv)
int ret;
virSecurityDriverPtr security_drv;
+ qemuSecurityStackedSetDriver(qemud_drv);
+ qemuSecurityDACSetDriver(qemud_drv);
+
ret = virSecurityDriverStartup(&security_drv,
qemud_drv->securityDriverName);
if (ret == -1) {
VIR_ERROR0(_("Failed to start security driver"));
return -1;
}
- /* No security driver wanted to be enabled: just return */
+
+ /* No primary security driver wanted to be enabled: just setup
+ * the DAC driver on its own */
if (ret == -2) {
+ qemud_drv->securityDriver = &qemuDACSecurityDriver;
VIR_INFO0(_("No security driver available"));
- return 0;
+ } else {
+ qemud_drv->securityPrimaryDriver = security_drv;
+ qemud_drv->securitySecondaryDriver = &qemuDACSecurityDriver;
+ qemud_drv->securityDriver = &qemuStackedSecurityDriver;
+ VIR_INFO("Initialized security driver %s", security_drv->name);
}
- qemuSecurityStackedSetDriver(qemud_drv);
- qemuSecurityDACSetDriver(qemud_drv);
-
- qemud_drv->securityPrimaryDriver = security_drv;
- qemud_drv->securitySecondaryDriver = &qemuDACSecurityDriver;
- qemud_drv->securityDriver = &qemuStackedSecurityDriver;
-
- VIR_INFO("Initialized security driver %s", security_drv->name);
return 0;
}
--
1.6.6
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list