On Fri, Jul 27, 2012 at 17:14:41 +0100, Daniel P. Berrange wrote: > On Wed, Jul 25, 2012 at 03:30:28PM +0200, Jiri Denemark wrote: > > If a domain is explicitly configured with <seclabel type="none"/> we > > correctly ensure that no labeling will be done by setting > > norelabel=true. However, if no seclabel element is present in domain XML > > and hypervisor is configured not to confine domains by default, we only > > set type to "none" without turning off relabeling. Thus if such a domain > > is being started, security driver wants to relabel resources with > > default label, which doesn't make any sense. > > > > Moreover, with SELinux security driver, the generated image label lacks > > "s0" sensitivity, which causes setfilecon() fail with EINVAL in > > enforcing mode. > > ACK, I see if the user requested type=none in the XML, then we > have already set norelabel = true, in the XML parser. Thanks, pushed. Jirka -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list