security: Do not restore kernel and initrd labels

Kernel/initrd files are essentially read-only shareable images and thus
should be handled in the same way. We already use the appropriate label
for kernel/initrd files when starting a domain, but when a domain gets
destroyed we would remove the labels which would make other running
domains using the same files very unhappy.

https://bugzilla.redhat.com/show_bug.cgi?id=921135

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 80709fe1f5037bd6c1d7f575a982e2962a8a3a47..378b92210fec1a86f50adf8165e4828a6b47a7c6 100644 (file)
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1128,14 +1128,6 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
         virSecurityDACRestoreFileLabel(priv, def->os.loader->nvram) < 0)
         rc = -1;
 
-    if (def->os.kernel &&
-        virSecurityDACRestoreFileLabel(priv, def->os.kernel) < 0)
-        rc = -1;
-
-    if (def->os.initrd &&
-        virSecurityDACRestoreFileLabel(priv, def->os.initrd) < 0)
-        rc = -1;
-
     if (def->os.dtb &&
         virSecurityDACRestoreFileLabel(priv, def->os.dtb) < 0)
         rc = -1;

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 721c4519b1a3f9edea9dc87fcffa5f8b68f53bf4..475cdbcf91d1e534085e2c877d2e98b599bc41ef 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2034,14 +2034,6 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
         virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
         rc = -1;
 
-    if (def->os.kernel &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel) < 0)
-        rc = -1;
-
-    if (def->os.initrd &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd) < 0)
-        rc = -1;
-
     if (def->os.dtb &&
         virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb) < 0)
         rc = -1;