On Wed, Jul 25, 2012 at 10:56:37 +0100, Daniel P. Berrange wrote:
> On Wed, Jul 25, 2012 at 11:41:27AM +0200, Jiri Denemark wrote:
> > When an unconfined domain is begin started, it doesn't make any sense to
> > automatically relabel its disk images with the default label. Morever,
> > doing so would fail because the generated label would be generated
> > without the "s0" sensitivity (since mcs is NULL in this case).
> > ---
> > src/security/security_selinux.c | 9 +++++++--
> > 1 file changed, 7 insertions(+), 2 deletions(-)
> >
> > diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> > index ca19b70..02808a4 100644
> > --- a/src/security/security_selinux.c
> > +++ b/src/security/security_selinux.c
> > @@ -370,8 +370,13 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
> > goto cleanup;
> > }
> >
> > - if (!def->seclabel.norelabel) {
> > - def->seclabel.imagelabel = virSecuritySELinuxGenNewContext(data->file_context, mcs);
> > + /* Generating image label does not make any sense if the domain itself
> > + * will not be labeled.
> > + */
> > + if (def->seclabel.type != VIR_DOMAIN_SECLABEL_NONE &&
> > + !def->seclabel.norelabel) {
> > + def->seclabel.imagelabel =
> > + virSecuritySELinuxGenNewContext(data->file_context, mcs);
> > if (!def->seclabel.imagelabel) {
> > virReportError(VIR_ERR_INTERNAL_ERROR,
> > _("cannot generate selinux context for %s"), mcs);
>
> ACK, assuming all places in the file already handle the case of a
> imagelabel==NULL.
It appeared only disk labeling was working correctly with imagelabel == NULL,
methods relabeling other resources could not handle it. Anyway, the correct
fix seems to be a bit different, I'll send a v2.
Jirka
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list