[libvirt] <seclabel> inside a //disk/source element

Richard W.M. Jones rjones at redhat.com
Wed Feb 27 18:03:05 UTC 2013


On Wed, Feb 27, 2013 at 05:24:26PM +0000, Daniel P. Berrange wrote:
> On Wed, Feb 27, 2013 at 05:14:55PM +0000, Richard W.M. Jones wrote:
> > 
> > According to the docs, it should be possible to do:
> > 
> >  <disk device="disk" type="file">
> >    <source file="/path/to/some/file">
> >       <seclabel relabel="no"/>           <---- NB
> >    </source>
> >    <target dev="sda" bus="scsi"/>
> >    <driver name="qemu" type="qcow2"/>
> >  </disk>
> > 
> > However I tried it, and it simply doesn't work.  Furthermore I looked
> > at the code in domain_conf.c, and I can't see how it's even supposed
> > to work.  It doesn't look to me as if <seclabel> is ever parsed in
> > that context.
> > 
> > Can anyone else confirm that this is a bug or point out my error?
> 
> Historically this was correct, because we only supported labels for
> one security driver. When we added support for multiple security
> drivers it seems we caused a regression.
> 
> <seclabel relabel="no"/>
> 
> should have been treated as equivalent to
> 
> <seclabel relabel="no" model="selinux"/>
> 
> but we're not doing that :-(

This works, thanks.

Unfortunately it leads to an even more intractable labelling problem,
but I'll follow up on the original BZ here:

https://bugzilla.redhat.com/show_bug.cgi?id=912499

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW




More information about the libvir-list mailing list