Clear dynamic seclabels on LXCProcessStart failure

commit a58e1cb4 didn't fix the bug if the security_default_confined is
not set to 1. We now clean up even if there is no seclabel defined or
the default one.

diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
index b3854233a8612468d87c2e404ff9f7a60d1d18b7..19ea7f314fb35113a2ce5e0da64aa885c0a9e071 100644 (file)
--- a/src/lxc/lxc_process.c
+++ b/src/lxc/lxc_process.c
@@ -1022,6 +1022,7 @@ int virLXCProcessStart(virConnectPtr conn,
     virCgroupPtr selfcgroup;
     int status;
     char *pidfile = NULL;
+    bool clearSeclabel = false;
 
     if (virCgroupNewSelf(&selfcgroup) < 0)
         return -1;
@@ -1126,6 +1127,10 @@ int virLXCProcessStart(virConnectPtr conn,
     /* If you are using a SecurityDriver with dynamic labelling,
        then generate a security label for isolation */
     VIR_DEBUG("Generating domain security label (if required)");
+
+    clearSeclabel = vm->def->nseclabels == 0 ||
+                    vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT;
+
     if (vm->def->nseclabels &&
         vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT)
         vm->def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE;
@@ -1387,7 +1392,8 @@ int virLXCProcessStart(virConnectPtr conn,
         virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
         /* Clear out dynamically assigned labels */
         if (vm->def->nseclabels &&
-            vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
+            (vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC ||
+            clearSeclabel)) {
             VIR_FREE(vm->def->seclabels[0]->model);
             VIR_FREE(vm->def->seclabels[0]->label);
             VIR_FREE(vm->def->seclabels[0]->imagelabel);