From: Cédric Bosdonnat <cbosdonnat@suse.com>
Date: Fri, 6 Feb 2015 13:13:43 +0000 (+0100)
Subject: Clear dynamic seclabels on LXCProcessStart failure
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=88a1b542088aa45601f0b407934c7ea623ef6de9;p=libvirt.git

Clear dynamic seclabels on LXCProcessStart failure

commit a58e1cb4 didn't fix the bug if the security_default_confined is
not set to 1. We now clean up even if there is no seclabel defined or
the default one.
---

diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
index b3854233a8..19ea7f314f 100644
--- a/src/lxc/lxc_process.c
+++ b/src/lxc/lxc_process.c
@@ -1022,6 +1022,7 @@ int virLXCProcessStart(virConnectPtr conn,
     virCgroupPtr selfcgroup;
     int status;
     char *pidfile = NULL;
+    bool clearSeclabel = false;
 
     if (virCgroupNewSelf(&selfcgroup) < 0)
         return -1;
@@ -1126,6 +1127,10 @@ int virLXCProcessStart(virConnectPtr conn,
     /* If you are using a SecurityDriver with dynamic labelling,
        then generate a security label for isolation */
     VIR_DEBUG("Generating domain security label (if required)");
+
+    clearSeclabel = vm->def->nseclabels == 0 ||
+                    vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT;
+
     if (vm->def->nseclabels &&
         vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT)
         vm->def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE;
@@ -1387,7 +1392,8 @@ int virLXCProcessStart(virConnectPtr conn,
         virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
         /* Clear out dynamically assigned labels */
         if (vm->def->nseclabels &&
-            vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
+            (vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC ||
+            clearSeclabel)) {
             VIR_FREE(vm->def->seclabels[0]->model);
             VIR_FREE(vm->def->seclabels[0]->label);
             VIR_FREE(vm->def->seclabels[0]->imagelabel);