Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
libvirt
0f1993aa-dont-autogen-seclable.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0f1993aa-dont-autogen-seclable.patch of Package libvirt
commit 0f1993aa15f281b3812806e29df729149a5b64c6 Author: Jim Fehlig <jfehlig@suse.com> Date: Wed Aug 16 15:46:55 2017 -0600 Don't autogenerate seclabels of type 'none' When security drivers are active but confinement is not enabled, there is no need to autogenerate <seclabel> elements when starting a domain def that contains no <seclabel> elements. In fact, autogenerating the elements can result in needless save/restore and migration failures when the security driver is not active on the restore/migration target. This patch changes the virSecurityManagerGenLabel function in src/security_manager.c to only autogenerate a <seclabel> element if none is already defined for the domain *and* default confinement is enabled. Otherwise the needless <seclabel> autogeneration is skipped. Resolves: https://bugzilla.opensuse.org/show_bug.cgi?id=1051017 Index: libvirt-2.0.0/src/security/security_manager.c =================================================================== --- libvirt-2.0.0.orig/src/security/security_manager.c +++ libvirt-2.0.0/src/security/security_manager.c @@ -582,31 +582,33 @@ virSecurityManagerGenLabel(virSecurityMa for (i = 0; sec_managers[i]; i++) { generated = false; seclabel = virDomainDefGetSecurityLabelDef(vm, sec_managers[i]->drv->name); - if (!seclabel) { - if (!(seclabel = virSecurityLabelDefNew(sec_managers[i]->drv->name))) - goto cleanup; - generated = seclabel->implicit = true; - } - - if (seclabel->type == VIR_DOMAIN_SECLABEL_DEFAULT) { - if (virSecurityManagerGetDefaultConfined(sec_managers[i])) { - seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC; + if (seclabel == NULL) { + /* Only generate seclabel if confinement is enabled */ + if (!virSecurityManagerGetDefaultConfined(sec_managers[i])) { + VIR_DEBUG("Skipping auto generated seclabel"); + continue; } else { - seclabel->type = VIR_DOMAIN_SECLABEL_NONE; - seclabel->relabel = false; + if (!(seclabel = virSecurityLabelDefNew(sec_managers[i]->drv->name))) + goto cleanup; + generated = seclabel->implicit = true; + seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC; + } + } else { + if (seclabel->type == VIR_DOMAIN_SECLABEL_DEFAULT) { + if (virSecurityManagerGetDefaultConfined(sec_managers[i])) { + seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC; + } else { + seclabel->type = VIR_DOMAIN_SECLABEL_NONE; + seclabel->relabel = false; + } } - } - if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) { - if (virSecurityManagerGetRequireConfined(sec_managers[i])) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("Unconfined guests are not allowed on this host")); - goto cleanup; - } else if (vm->nseclabels && generated) { - VIR_DEBUG("Skipping auto generated seclabel of type none"); - virSecurityLabelDefFree(seclabel); - seclabel = NULL; - continue; + if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) { + if (virSecurityManagerGetRequireConfined(sec_managers[i])) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Unconfined guests are not allowed on this host")); + goto cleanup; + } } }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor