Ján Tomko wrote: > On 05/16/2014 06:16 AM, Jim Fehlig wrote: > >> The DAC driver ignores the relabel='no' attribute in chardev config >> >> <serial type='file'> >> <source path='/tmp/jim/test.file'> >> <seclabel model='dac' relabel='no'/> >> </source> >> <target port='0'/> >> </serial> >> >> This patch avoids labeling chardevs when relabel='no' is specified. >> >> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> >> Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx> >> --- >> src/security/security_dac.c | 65 ++++++++++++++++++++++++++++++++------------- >> 1 file changed, 46 insertions(+), 19 deletions(-) >> >> diff --git a/src/security/security_dac.c b/src/security/security_dac.c >> index 4434cd0..20f349f 100644 >> --- a/src/security/security_dac.c >> +++ b/src/security/security_dac.c >> @@ -705,25 +707,35 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr, >> >> seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); >> >> - if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL)) >> - return -1; >> + if (dev) >> + chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev, >> + SECURITY_DAC_NAME); >> > > A check for seclabel->norelabel and chr_seclabel->norelabel is missing here. > virSecurityDACSetChardevLabel() is only called internally, and in all cases via virSecurityDACSetSecurityAllLabel(), which already checks for seclabel->norelabel. But you are right about the missing check for chr_seclabel->norelabel. I added it to the patch before pushing. Regards, Jim -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list