Support seclabels for volume type disk

"seclabels" is only valid for 'file' or 'block' type storage volume.

Support seclabels for volume type disk
"seclabels" is only valid for 'file' or 'block' type storage volume.
664270b8 · Osier Yang · 43404fee · 664270b8 · 664270b8 · 664270b8
4 changed file
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -1439,11 +1439,13 @@
        path to the file holding the disk. If the disk
        <code>type</code> is "block", then the <code>dev</code>
        attribute specifies the path to the host device to serve as
-        the disk. With both "file" and "block", one or more optional
+        the disk. With "file", "block", and "volume", one or more optional
        sub-elements <code>seclabel</code>, <a href="#seclabel">described
        below</a> (and <span class="since">since 0.9.9</span>), can be
        used to override the domain security labeling policy for just
-        that source file.  If the disk <code>type</code> is "dir", then the
+        that source file. (NB, for "volume" type disk, <code>seclabel</code>
+        is only valid when the specified storage volume is of 'file' or
+        'block' type).  If the disk <code>type</code> is "dir", then the
        <code>dir</code> attribute specifies the fully-qualified path
        to the directory to use as the disk. If the disk <code>type</code>
        is "network", then the <code>protocol</code> attribute specifies

--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1123,6 +1123,9 @@
                <optional>
                  <ref name="startupPolicy"/>
                </optional>
+                <optional>
+                  <ref name='devSeclabel'/>
+                </optional>
              </element>
            </optional>
            <ref name="diskspec"/>

--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -13020,16 +13020,24 @@ virDomainDiskSourceDefFormat(virBufferPtr buf,
            }
            break;
        case VIR_DOMAIN_DISK_TYPE_VOLUME:
-            /* Parsing guarantees the def->srcpool->volume cannot be NULL
-             * if def->srcpool->pool is not NULL.
-             */
+            virBufferAddLit(buf, "      <source");
+
            if (def->srcpool)
-                virBufferAsprintf(buf, "      <source pool='%s' volume='%s'",
+                virBufferAsprintf(buf, " pool='%s' volume='%s'",
                                  def->srcpool->pool, def->srcpool->volume);
            if (def->startupPolicy)
-                virBufferEscapeString(buf, " startupPolicy='%s'/>\n", startupPolicy);
-            else
+                virBufferEscapeString(buf, " startupPolicy='%s'", startupPolicy);
+
+            if (def->nseclabels) {
+                virBufferAddLit(buf, ">\n");
+                virBufferAdjustIndent(buf, 8);
+                for (n = 0; n < def->nseclabels; n++)
+                    virSecurityDeviceLabelDefFormat(buf, def->seclabels[n]);
+                virBufferAdjustIndent(buf, -8);
+                virBufferAddLit(buf, "      </source>\n");
+            } else {
                virBufferAddLit(buf, "/>\n");
+            }
            break;
        default:
            virReportError(VIR_ERR_INTERNAL_ERROR,

--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml
@@ -15,7 +15,11 @@
  <devices>
    <emulator>/usr/bin/qemu</emulator>
    <disk type='volume' device='cdrom'>
-      <source pool='blk-pool0' volume='blk-pool0-vol0' startupPolicy='optional'/>
+      <source pool='blk-pool0' volume='blk-pool0-vol0' startupPolicy='optional'>
+        <seclabel model='selinux' relabel='yes'>
+          <label>system_u:system_r:public_content_t:s0</label>
+        </seclabel>
+      </source>
      <target dev='hda' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>