diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index fa76eb427c76e0680216bc8c41725235cc8c31f2..8384b5d434a197be60a24d5bea98c3c2964d5a38 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -4576,9 +4576,9 @@ virSecurityLabelDefParseXML(xmlXPathContextPtr ctxt,
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
if (p != NULL) {
if (STREQ(p, "yes")) {
- def->norelabel = false;
+ def->relabel = true;
} else if (STREQ(p, "no")) {
- def->norelabel = true;
+ def->relabel = false;
} else {
virReportError(VIR_ERR_XML_ERROR,
_("invalid security relabel value %s"), p);
@@ -4587,13 +4587,13 @@ virSecurityLabelDefParseXML(xmlXPathContextPtr ctxt,
}
VIR_FREE(p);
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
- def->norelabel) {
+ !def->relabel) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
"%s", _("dynamic label type must use resource relabeling"));
goto error;
}
if (def->type == VIR_DOMAIN_SECLABEL_NONE &&
- !def->norelabel) {
+ def->relabel) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
"%s", _("resource relabeling is not compatible with 'none' label type"));
goto error;
@@ -4601,9 +4601,9 @@ virSecurityLabelDefParseXML(xmlXPathContextPtr ctxt,
} else {
if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
def->type == VIR_DOMAIN_SECLABEL_NONE)
- def->norelabel = true;
+ def->relabel = false;
else
- def->norelabel = false;
+ def->relabel = true;
}
/* Always parse model */
@@ -4635,7 +4635,7 @@ virSecurityLabelDefParseXML(xmlXPathContextPtr ctxt,
}
/* Only parse imagelabel, if requested live XML with relabeling */
- if (!def->norelabel &&
+ if (def->relabel &&
(!(flags & VIR_DOMAIN_XML_INACTIVE) &&
def->type != VIR_DOMAIN_SECLABEL_NONE)) {
p = virXPathStringLimit("string(./imagelabel[1])",
@@ -4793,7 +4793,7 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
}
/* Can't use overrides if top-level doesn't allow relabeling. */
- if (vmDef && vmDef->norelabel) {
+ if (vmDef && !vmDef->relabel) {
virReportError(VIR_ERR_XML_ERROR, "%s",
_("label overrides require relabeling to be "
"enabled at the domain level"));
@@ -14708,14 +14708,14 @@ virSecurityLabelDefFormat(virBufferPtr buf,
}
virBufferAsprintf(buf, " relabel='%s'",
- def->norelabel ? "no" : "yes");
+ def->relabel ? "yes" : "no");
if (def->label || def->imagelabel || def->baselabel) {
virBufferAddLit(buf, ">\n");
virBufferAdjustIndent(buf, 2);
virBufferEscapeString(buf, "\n",
def->label);
- if (!def->norelabel)
+ if (def->relabel)
virBufferEscapeString(buf, "%s\n",
def->imagelabel);
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 1e2a38b0ddb6b2fd7e00098ee976122df50ff6d2..9603c78255e8bf03bc37fe304f8d5fcdfcf950df 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -281,7 +281,7 @@ reload_profile(virSecurityManagerPtr mgr,
if (!secdef)
return rc;
- if (secdef->norelabel)
+ if (!secdef->relabel)
return 0;
if ((profile_name = get_profile_name(def)) == NULL)
@@ -481,7 +481,7 @@ AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr,
if (!secdef)
return -1;
- if (secdef->norelabel)
+ if (!secdef->relabel)
return 0;
/* Reload the profile if stdin_path is specified. Note that
@@ -718,7 +718,7 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME)))
return -1;
- if (secdef->norelabel)
+ if (!secdef->relabel)
return 0;
if (secdef->imagelabel) {
@@ -805,7 +805,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
if (!secdef)
return -1;
- if (secdef->norelabel)
+ if (!secdef->relabel)
return 0;
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
@@ -904,7 +904,7 @@ AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
if (!secdef)
return -1;
- if (secdef->norelabel)
+ if (!secdef->relabel)
return 0;
return reload_profile(mgr, def, NULL, false);
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 26cd615161c3fccae915e53bf8014643efe43d7e..665cbc943dda50bf616b01a505414ae9f8e373e4 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -307,7 +307,7 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
return 0;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
- if (secdef && secdef->norelabel)
+ if (secdef && !secdef->relabel)
return 0;
disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
@@ -369,7 +369,7 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
return 0;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
- if (secdef && secdef->norelabel)
+ if (secdef && !secdef->relabel)
return 0;
disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
@@ -477,7 +477,7 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
cbdata.manager = mgr;
cbdata.secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
- if (cbdata.secdef && cbdata.secdef->norelabel)
+ if (cbdata.secdef && !cbdata.secdef->relabel)
return 0;
switch ((virDomainHostdevSubsysType) dev->source.subsys.type) {
@@ -601,7 +601,7 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
- if (!priv->dynamicOwnership || (secdef && secdef->norelabel))
+ if (!priv->dynamicOwnership || (secdef && !secdef->relabel))
return 0;
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
@@ -881,7 +881,7 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
- if (!priv->dynamicOwnership || (secdef && secdef->norelabel))
+ if (!priv->dynamicOwnership || (secdef && !secdef->relabel))
return 0;
VIR_DEBUG("Restoring security label on %s migrated=%d",
@@ -955,7 +955,7 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
- if (!priv->dynamicOwnership || (secdef && secdef->norelabel))
+ if (!priv->dynamicOwnership || (secdef && !secdef->relabel))
return 0;
for (i = 0; i < def->ndisks; i++) {
@@ -1157,7 +1157,7 @@ virSecurityDACGenLabel(virSecurityManagerPtr mgr,
return rc;
}
- if (!seclabel->norelabel && !seclabel->imagelabel &&
+ if (seclabel->relabel && !seclabel->imagelabel &&
VIR_STRDUP(seclabel->imagelabel, seclabel->label) < 0) {
VIR_FREE(seclabel->label);
return rc;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 16bec5c2b4364416685ceeb2bc337451d0147e1b..8a45e0495873ce7d1ef99a0a7e194786c9e0e6bc 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -616,7 +616,7 @@ virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
} else {
seclabel->type = VIR_DOMAIN_SECLABEL_NONE;
- seclabel->norelabel = true;
+ seclabel->relabel = false;
}
}
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index e06c003fee11471b64221cca1227ab582d83836d..8d4a9aa1251f59983f017837143df482b6ea0ca8 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1130,7 +1130,7 @@ virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
SECURITY_SELINUX_NAME);
- if (seclabel->norelabel || (disk_seclabel && disk_seclabel->norelabel))
+ if (!seclabel->relabel || (disk_seclabel && disk_seclabel->norelabel))
return 0;
/* If labelskip is true and there are no backing files, then we
@@ -1202,7 +1202,7 @@ virSecuritySELinuxSetSecurityImageLabelInternal(virSecurityManagerPtr mgr,
return 0;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (!secdef || secdef->norelabel)
+ if (!secdef || !secdef->relabel)
return 0;
disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
@@ -1456,7 +1456,7 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
virSecurityLabelDefPtr secdef;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (!secdef || secdef->norelabel)
+ if (!secdef || !secdef->relabel)
return 0;
switch (dev->mode) {
@@ -1641,7 +1641,7 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
virSecurityLabelDefPtr secdef;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (!secdef || secdef->norelabel)
+ if (!secdef || !secdef->relabel)
return 0;
switch (dev->mode) {
@@ -1670,7 +1670,7 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
int ret = -1;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (!seclabel || seclabel->norelabel)
+ if (!seclabel || !seclabel->relabel)
return 0;
if (dev)
@@ -1741,7 +1741,7 @@ virSecuritySELinuxRestoreSecurityChardevLabel(virSecurityManagerPtr mgr,
int ret = -1;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (!seclabel || seclabel->norelabel)
+ if (!seclabel || !seclabel->relabel)
return 0;
if (dev)
@@ -1866,10 +1866,8 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
VIR_DEBUG("Restoring security label on %s", def->name);
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (secdef == NULL)
- return 0;
- if (secdef->norelabel || data->skipAllLabel)
+ if (!secdef || !secdef->relabel || data->skipAllLabel)
return 0;
if (def->tpm) {
@@ -1956,7 +1954,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virSecurityLabelDefPtr secdef;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (!secdef || secdef->norelabel)
+ if (!secdef || !secdef->relabel)
return 0;
return virSecuritySELinuxSetFilecon(savefile, secdef->imagelabel);
@@ -1971,7 +1969,7 @@ virSecuritySELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr,
virSecurityLabelDefPtr secdef;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (!secdef || secdef->norelabel)
+ if (!secdef || !secdef->relabel)
return 0;
return virSecuritySELinuxRestoreSecurityFileLabel(mgr, savefile);
@@ -2245,10 +2243,8 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
virSecurityLabelDefPtr secdef;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (secdef == NULL)
- return 0;
- if (secdef->norelabel || data->skipAllLabel)
+ if (!secdef || !secdef->relabel || data->skipAllLabel)
return 0;
for (i = 0; i < def->ndisks; i++) {
diff --git a/src/util/virseclabel.c b/src/util/virseclabel.c
index 8f07de39b701d1de0f2172cfa811885052ddfe9c..9b209c0a326f039454853caed8d88c2339581bcf 100644
--- a/src/util/virseclabel.c
+++ b/src/util/virseclabel.c
@@ -64,6 +64,8 @@ virSecurityLabelDefNew(const char *model)
seclabel = NULL;
}
+ seclabel->relabel = true;
+
return seclabel;
}
diff --git a/src/util/virseclabel.h b/src/util/virseclabel.h
index b90d212d7d226a0cf83b99b9aef535cb9f2efc4d..c164c48cecaad95079d4ed69d7aa487be510cc89 100644
--- a/src/util/virseclabel.h
+++ b/src/util/virseclabel.h
@@ -40,7 +40,7 @@ struct _virSecurityLabelDef {
char *imagelabel; /* security image label string */
char *baselabel; /* base name of label string */
int type; /* virDomainSeclabelType */
- bool norelabel;
+ bool relabel; /* true (default) for allowing relabels */
bool implicit; /* true if seclabel is auto-added */
};