When an unconfined domain is begin started, it doesn't make any sense to automatically relabel its disk images with the default label. Morever, doing so would fail because the generated label would be generated without the "s0" sensitivity (since mcs is NULL in this case). --- src/security/security_selinux.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index ca19b70..02808a4 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -370,8 +370,13 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr, goto cleanup; } - if (!def->seclabel.norelabel) { - def->seclabel.imagelabel = virSecuritySELinuxGenNewContext(data->file_context, mcs); + /* Generating image label does not make any sense if the domain itself + * will not be labeled. + */ + if (def->seclabel.type != VIR_DOMAIN_SECLABEL_NONE && + !def->seclabel.norelabel) { + def->seclabel.imagelabel = + virSecuritySELinuxGenNewContext(data->file_context, mcs); if (!def->seclabel.imagelabel) { virReportError(VIR_ERR_INTERNAL_ERROR, _("cannot generate selinux context for %s"), mcs); -- 1.7.11.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list