selinux: Always generate imagelabel

The imagelabel SELinux label was only generated when relabeling was
enabled. This prohibited labeling of files created by libvirt that need
to be labeled even if relabeling is turned off.

The only codepath this change has direct impact on is labeling of FDs
passed to qemu which is always safe in current state.

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ec4f764e4aac9d63de09d26d1cec793d9f0cb993..d7c978dbeae6c0a0d9a81b41f536d2fbb98219ed 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -687,13 +687,12 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
         goto cleanup;
     }
 
-    if (!seclabel->norelabel) {
-        seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context,
-                                                               mcs,
-                                                               true);
-        if (!seclabel->imagelabel)
-            goto cleanup;
-    }
+    /* always generate a image label, needed to label new objects */
+    seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context,
+                                                           mcs,
+                                                           true);
+    if (!seclabel->imagelabel)
+        goto cleanup;
 
     if (!seclabel->model &&
         VIR_STRDUP(seclabel->model, SECURITY_SELINUX_NAME) < 0)