From aafeeb2c9fec1a916cbb1625348bc5d8153c664f Mon Sep 17 00:00:00 2001

Message-Id: <aafeeb2c9fec1a916cbb1625348bc5d8153c664f@dist-git>

From: Shivaprasad G Bhat <shivaprasadbhat@gmail.com>

Date: Tue, 30 Sep 2014 17:41:01 +0200

Subject: [PATCH] selinux: Avoid label reservations for type = none

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

https://bugzilla.redhat.com/show_bug.cgi?id=1138487

For security type='none' libvirt according to the docs should not

generate seclabel be it for selinux or any model. So, skip the

reservation of labels when type is none.

Signed-off-by: Shivaprasad G Bhat <sbhat@linux.vnet.ibm.com>

(cherry picked from commit a48362cdfeb5c948218a2e4bf7cc9354082fc1b6)

Signed-off-by: Ján Tomko <jtomko@redhat.com>

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

---

 src/security/security_selinux.c | 4 +++-

 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c

index 85ad073..7413701 100644

--- a/src/security/security_selinux.c

+++ b/src/security/security_selinux.c

@@ -731,7 +731,9 @@ virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr,

     virSecurityLabelDefPtr seclabel;

     seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);

-    if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC)

+    if (!seclabel ||

+        seclabel->type == VIR_DOMAIN_SECLABEL_NONE ||

+        seclabel->type == VIR_DOMAIN_SECLABEL_STATIC)

         return 0;

     if (getpidcon_raw(pid, &pctx) == -1) {

-- 

2.1.2