提交 d869a6ea 编写于 作者: M Michal Privoznik

conf: Fix even implicit labels

https://bugzilla.redhat.com/show_bug.cgi?id=1027096#c8

There are two ways in which security model can make it way into
<seclabel/>. One is as the @model attribute, the second one is
via security_driver knob in qemu.conf. Then, while parsing
<seclabel/> several checks and fix ups of old, stale combinations
are performed. However, iff @model is specified. They are not
done in the latter case. So it's still possible to feed libvirt
with senseless combinations (if qemu.conf is adjusted correctly).

One example of a seclabel that needs some adjustment (in case
security_driver=none in qemu.conf) is:

    <seclabel type='dynamic' relabel='yes'/>

The fixup code is copied from virSecurityLabelDefParseXML
(covering the former case) into virSecurityLabelDefsParseXML
(which handles the latter case).
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
上级 cefe0ba3
......@@ -4974,6 +4974,13 @@ virSecurityLabelDefsParseXML(virDomainDefPtr def,
host->secModels[0].model);
if (VIR_STRDUP(def->seclabels[0]->model, host->secModels[0].model) < 0)
goto error;
if (STREQ(def->seclabels[0]->model, "none") &&
flags & VIR_DOMAIN_XML_INACTIVE) {
/* Fix older configurations */
def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE;
def->seclabels[0]->relabel = false;
}
} else {
virReportError(VIR_ERR_XML_ERROR, "%s",
_("missing security model in domain seclabel"));
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册