It's not exactly obvious but these two patches fix quite an ugly bug affecting
setups without any useful security driver (i.e., either explicitly or
implicitly using driver 'none').
When a domain is defined without any <seclabel> element in its XML and started
by libvirt, an incorrect <seclabel> element is put into its runtime XML
configuration which causes such domain to disappear from libvirt when libvirtd
is restarted. Without these patches, the incorrect element is
<seclabel type='dynamic' relabel='yes'/>
after applying patch 2/2, the element is
<seclabel type='none' relabel='yes'/>
which is still wrong and after applying both of these patches, correct element
<seclabel type='none'/>
is placed into the runtime XML configuration.
Jiri Denemark (2):
seclabel: Do not output relabel attribute for type 'none'
security: Driver 'none' cannot create confined guests
src/conf/domain_conf.c | 9 +++++----
src/security/security_manager.c | 20 ++++++++++++++++++++
.../qemuxml2argv-seclabel-none.xml | 2 +-
tests/seclabeltest.c | 2 +-
4 files changed, 27 insertions(+), 6 deletions(-)
--
1.7.8.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list