The imagelabel SELinux label was only generated when relabeling was
enabled. This prohibited labeling of files created by libvirt that need
to be labeled even if relabeling is turned off.
The only codepath this change has direct impact on is labeling of FD's
passed to qemu which is allways safe in current state.
---
src/security/security_selinux.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ec4f764..d7c978d 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -687,13 +687,12 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
goto cleanup;
}
- if (!seclabel->norelabel) {
- seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context,
- mcs,
- true);
- if (!seclabel->imagelabel)
- goto cleanup;
- }
+ /* always generate a image label, needed to label new objects */
+ seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context,
+ mcs,
+ true);
+ if (!seclabel->imagelabel)
+ goto cleanup;
if (!seclabel->model &&
VIR_STRDUP(seclabel->model, SECURITY_SELINUX_NAME) < 0)
--
1.8.2.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list