security: Don't add seclabel of type none if there's already a seclabel

https://bugzilla.redhat.com/show_bug.cgi?id=923946

The <seclabel type='none'/> should be added iff there is no other
seclabel defined within a domain. This bug can be easily reproduced:
1) configure selinux seclabel for a domain
2) disable system's selinux and restart libvirtd
3) observe <seclabel type='none'/> being appended to a domain on its
   startup

diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 5c2a95b6990012b774404fc4aa7c94007135fb86..b55af6968d4c94e923dde05b1b01d1e668a22a3a 100644 (file)
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -455,11 +455,16 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
             }
         }
 
-        if ((seclabel->type == VIR_DOMAIN_SECLABEL_NONE) &&
-            sec_managers[i]->requireConfined) {
-            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
-                           _("Unconfined guests are not allowed on this host"));
-            goto cleanup;
+        if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) {
+            if (sec_managers[i]->requireConfined) {
+                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                               _("Unconfined guests are not allowed on this host"));
+                goto cleanup;
+            } else if (vm->nseclabels && generated) {
+                VIR_DEBUG("Skipping auto generated seclabel of type none");
+                virSecurityLabelDefFree(seclabel);
+                continue;
+            }
         }
 
         if (!sec_managers[i]->drv->domainGenSecurityLabel) {