"seclabels" is only valid for 'file' or 'block' type storage volume.
---
docs/formatdomain.html.in | 31 ++++++++++++++++---------------
docs/schemas/domaincommon.rng | 3 +++
src/conf/domain_conf.c | 12 ++++++++++--
src/storage/storage_driver.c | 9 +++++++++
4 files changed, 38 insertions(+), 17 deletions(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 8186f3b..93c56d8 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -1434,24 +1434,25 @@
path to the file holding the disk. If the disk
<code>type</code> is "block", then the <code>dev</code>
attribute specifies the path to the host device to serve as
- the disk. With both "file" and "block", one or more optional
+ the disk. With "file", "block" or "volume", one or more optional
sub-elements <code>seclabel</code>, <a href="#seclabel">described
below</a> (and <span class="since">since 0.9.9</span>), can be
used to override the domain security labeling policy for just
- that source file. If the disk <code>type</code> is "dir", then the
- <code>dir</code> attribute specifies the fully-qualified path
- to the directory to use as the disk. If the disk <code>type</code>
- is "network", then the <code>protocol</code> attribute specifies
- the protocol to access to the requested image; possible values
- are "nbd", "rbd", "sheepdog" or "gluster". If the
- <code>protocol</code> attribute is "rbd", "sheepdog" or "gluster", an
- additional attribute <code>name</code> is mandatory to specify which
- volume/image will be used. When the disk <code>type</code> is
- "network", the <code>source</code> may have zero or
- more <code>host</code> sub-elements used to specify the hosts
- to connect. If the disk <code>type</code> is "volume", the underlying
- disk source is represented by attributes <code>pool</code> and
- <code>volume</code>. Attribute <code>pool</code> specifies the
+ that source file. (NB, <code>seclable</code> is not valid unless
+ the specified storage volume is of 'file' or 'block' type).
+ If the disk <code>type</code> is "dir", then the <code>dir</code>
+ attribute specifies the fully-qualified path to the directory to
+ use as the disk. If the disk <code>type</code> is "network", then
+ the <code>protocol</code> attribute specifies the protocol to access
+ to the requested image; possible values are "nbd", "rbd", "sheepdog"
+ or "gluster". If the <code>protocol</code> attribute is "rbd",
+ "sheepdog" or "gluster", an additional attribute <code>name</code>
+ is mandatory to specify which volume/image will be used. When the
+ disk <code>type</code> is "network", the <code>source</code> may
+ have zero or more <code>host</code> sub-elements used to specify
+ the hosts to connect. If the disk <code>type</code> is "volume",
+ the underlying disk source is represented by attributes <code>pool</code>
+ and <code>volume</code>. Attribute <code>pool</code> specifies the
name of storage pool (managed by libvirt) where the disk source resides,
and attribute <code>volume</code> specifies the name of storage volume
(managed by libvirt) used as the disk source.
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 6d426ac..820f10d 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1097,6 +1097,9 @@
<optional>
<ref name="startupPolicy"/>
</optional>
+ <optional>
+ <ref name='devSeclabel'/>
+ </optional>
</element>
</optional>
<ref name="diskspec"/>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 7b08b69..00ddae3 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -12322,7 +12322,7 @@ virDomainDiskSourceDefFormat(virBufferPtr buf,
}
break;
case VIR_DOMAIN_DISK_TYPE_VOLUME:
- if (def->srcpool || def->startupPolicy)
+ if (def->srcpool || def->startupPolicy || def->nseclabels)
virBufferAddLit(buf, " <source");
if (def->srcpool)
@@ -12331,8 +12331,16 @@ virDomainDiskSourceDefFormat(virBufferPtr buf,
if (def->startupPolicy)
virBufferEscapeString(buf, " startupPolicy='%s'", startupPolicy);
- if (def->srcpool || def->startupPolicy)
+ if (def->nseclabels) {
+ virBufferAddLit(buf, ">\n");
+ virBufferAdjustIndent(buf, 8);
+ for (n = 0; n < def->nseclabels; n++)
+ virSecurityDeviceLabelDefFormat(buf, def->seclabels[n]);
+ virBufferAdjustIndent(buf, -8);
+ virBufferAddLit(buf, " </source>\n");
+ } else if (def->srcpool || def->startupPolicy) {
virBufferAddLit(buf, "/>\n");
+ }
break;
default:
virReportError(VIR_ERR_INTERNAL_ERROR,
diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
index 3e710ef..f2ca310 100644
--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
@@ -2433,6 +2433,15 @@ storageTranslateDomainDiskSourcePool(virConnectPtr conn,
goto cleanup;
}
+ if (disk->nseclabels &&
+ vol->type != VIR_STORAGE_VOL_FILE &&
+ vol->type != VIR_STORAGE_VOL_BLOCK) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("'seclabels' is only valid for 'file' or "
+ "'block' type volume"));
+ goto cleanup;
+ }
+
switch (vol->type) {
case VIR_STORAGE_VOL_FILE:
case VIR_STORAGE_VOL_BLOCK:
--
1.7.7.6
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list