On Thu, Mar 21, 2013 at 04:35:11PM +0100, Michal Privoznik wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=923946 > > The <seclabel type='none'/> should be added iff there is no other > seclabel defined within a domain. This bug can be easily reproduced: > 1) configure selinux seclabel for a domain > 2) disable system's selinux and restart libvirtd > 3) observe <seclabel type='none'/> being appended to a domain on its > startup > --- > src/security/security_manager.c | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > > diff --git a/src/security/security_manager.c b/src/security/security_manager.c > index 5c2a95b..b55af69 100644 > --- a/src/security/security_manager.c > +++ b/src/security/security_manager.c > @@ -455,11 +455,16 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, > } > } > > - if ((seclabel->type == VIR_DOMAIN_SECLABEL_NONE) && > - sec_managers[i]->requireConfined) { > - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", > - _("Unconfined guests are not allowed on this host")); > - goto cleanup; > + if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) { > + if (sec_managers[i]->requireConfined) { > + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", > + _("Unconfined guests are not allowed on this host")); > + goto cleanup; > + } else if (vm->nseclabels && generated) { > + VIR_DEBUG("Skipping auto generated seclabel of type none"); > + virSecurityLabelDefFree(seclabel); > + continue; > + } > } > > if (!sec_managers[i]->drv->domainGenSecurityLabel) { ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list