This will help facilitate disabling seclabel for an individual VM. One functional change is that the user can now hardcode type='dynamic', but there was no good reason to deny it anyways. Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx> --- src/conf/domain_conf.c | 34 ++++++++++---------- src/security/security_apparmor.c | 6 ++-- src/security/security_selinux.c | 6 ++-- .../qemuxml2xml-seclabel-dynamic-out.xml | 1 + 4 files changed, 24 insertions(+), 23 deletions(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 077a396..e5b89a2 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -4238,28 +4238,28 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def, goto error; } + p = virXPathStringLimit("string(./seclabel/@model)", + VIR_SECURITY_MODEL_BUFLEN-1, ctxt); + if (p == NULL) { + virDomainReportError(VIR_ERR_XML_ERROR, + "%s", _("missing security model")); + goto error; + } + + def->seclabel.model = virDomainSeclabelModelTypeFromString(p); + if (def->seclabel.model < 0) { + virDomainReportError(VIR_ERR_XML_ERROR, + _("unknown security model '%s'"), p); + VIR_FREE(p); + goto error; + } + VIR_FREE(p); + /* Only parse details, if using static labels, or * if the 'live' VM XML is requested */ if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC || !(flags & VIR_DOMAIN_XML_INACTIVE)) { - p = virXPathStringLimit("string(./seclabel/@model)", - VIR_SECURITY_MODEL_BUFLEN-1, ctxt); - if (p == NULL) { - virDomainReportError(VIR_ERR_XML_ERROR, - "%s", _("missing security model")); - goto error; - } - - def->seclabel.model = virDomainSeclabelModelTypeFromString(p); - if (def->seclabel.model < 0) { - virDomainReportError(VIR_ERR_XML_ERROR, - _("unknown security model '%s'"), p); - VIR_FREE(p); - goto error; - } - VIR_FREE(p); - p = virXPathStringLimit("string(./seclabel/label[1])", VIR_SECURITY_LABEL_BUFLEN-1, ctxt); if (p == NULL) { diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 7a6fe5c..9a49e29 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -431,7 +431,7 @@ AppArmorSecurityManagerGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED) * called on shutdown. */ static int -AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, +AppArmorGenSecurityLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) { int rc = -1; @@ -440,8 +440,8 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) return 0; - if ((vm->def->seclabel.label) || - (vm->def->seclabel.model != VIR_DOMAIN_SECLABEL_MODEL_DEFAULT) || + if ((!virSecurityIsSpecifiedDriver(mgr, vm->def)) || + (vm->def->seclabel.label) || (vm->def->seclabel.imagelabel)) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 2266c21..a03e7d2 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -160,7 +160,7 @@ SELinuxInitialize(void) } static int -SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, +SELinuxGenSecurityLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) { int rc = -1; @@ -172,8 +172,8 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) return 0; - if (vm->def->seclabel.label || - vm->def->seclabel.model != VIR_DOMAIN_SECLABEL_MODEL_DEFAULT || + if (!virSecurityIsSpecifiedDriver(mgr, vm->def) || + vm->def->seclabel.label || vm->def->seclabel.imagelabel) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security label already defined for VM")); diff --git a/tests/qemuxml2xmldata/qemuxml2xml-seclabel-dynamic-out.xml b/tests/qemuxml2xmldata/qemuxml2xml-seclabel-dynamic-out.xml index 8b344d7..8d3f837 100644 --- a/tests/qemuxml2xmldata/qemuxml2xml-seclabel-dynamic-out.xml +++ b/tests/qemuxml2xmldata/qemuxml2xml-seclabel-dynamic-out.xml @@ -17,4 +17,5 @@ <controller type='ide' index='0'/> <memballoon model='virtio'/> </devices> + <seclabel type='dynamic' model='selinux'/> </domain> -- 1.7.3.2 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list