[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] selinux: Do not automatically label images of unconfined domains



When an unconfined domain is begin started, it doesn't make any sense to
automatically relabel its disk images with the default label. Morever,
doing so would fail because the generated label would be generated
without the "s0" sensitivity (since mcs is NULL in this case).
---
 src/security/security_selinux.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ca19b70..02808a4 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -370,8 +370,13 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
         goto cleanup;
     }
 
-    if (!def->seclabel.norelabel) {
-        def->seclabel.imagelabel = virSecuritySELinuxGenNewContext(data->file_context, mcs);
+    /* Generating image label does not make any sense if the domain itself
+     * will not be labeled.
+     */
+    if (def->seclabel.type != VIR_DOMAIN_SECLABEL_NONE &&
+        !def->seclabel.norelabel) {
+        def->seclabel.imagelabel =
+            virSecuritySELinuxGenNewContext(data->file_context, mcs);
         if (!def->seclabel.imagelabel)  {
             virReportError(VIR_ERR_INTERNAL_ERROR,
                            _("cannot generate selinux context for %s"), mcs);
-- 
1.7.11.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]