提交 2ce63c16 编写于 作者: P Peter Krempa

selinux: Always generate imagelabel

The imagelabel SELinux label was only generated when relabeling was
enabled. This prohibited labeling of files created by libvirt that need
to be labeled even if relabeling is turned off.

The only codepath this change has direct impact on is labeling of FDs
passed to qemu which is always safe in current state.
上级 e45ee23c
...@@ -687,13 +687,12 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr, ...@@ -687,13 +687,12 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
goto cleanup; goto cleanup;
} }
if (!seclabel->norelabel) { /* always generate a image label, needed to label new objects */
seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context, seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context,
mcs, mcs,
true); true);
if (!seclabel->imagelabel) if (!seclabel->imagelabel)
goto cleanup; goto cleanup;
}
if (!seclabel->model && if (!seclabel->model &&
VIR_STRDUP(seclabel->model, SECURITY_SELINUX_NAME) < 0) VIR_STRDUP(seclabel->model, SECURITY_SELINUX_NAME) < 0)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册