On 02.04.2013 18:38, Eric Blake wrote: > On 04/02/2013 10:07 AM, Michal Privoznik wrote: >> https://bugzilla.redhat.com/show_bug.cgi?id=947387 >> >> If a user configures a domain to use a seclabel of a specific type, >> but the appropriate driver is not accessible, we should refuse to >> start the domain. For instance, if user requires selinux, but it is >> either non present in the system, or is just disabled, we should not >> start the domain. Moreover, since we are touching only those labels we >> have a security driver for, the other labels may confuse libvirt when >> reconnecting to a domain on libvirtd restart. In our selinux example, >> when starting up a domain, missing security label is okay, as we >> auto-generate one. But later, when libvirt is re-connecting to a live >> qemu instance, we parse a state XML, where security label is required >> and it is an error if missing: >> >> error : virSecurityLabelDefParseXML:3228 : XML error: security label >> is missing >> >> This results in a qemu process left behind without any libvirt control. >> --- >> src/security/security_manager.c | 15 ++++++++++++++- >> 1 file changed, 14 insertions(+), 1 deletion(-) > > ACK. > Thanks, pushed. Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list