security: Skip labeling resources when seclabel defaults to none

If a domain is explicitly configured with <seclabel type="none"/> we
correctly ensure that no labeling will be done by setting
norelabel=true. However, if no seclabel element is present in domain XML
and hypervisor is configured not to confine domains by default, we only
set type to "none" without turning off relabeling. Thus if such a domain
is being started, security driver wants to relabel resources with
default label, which doesn't make any sense.

Moreover, with SELinux security driver, the generated image label lacks
"s0" sensitivity, which causes setfilecon() fail with EINVAL in
enforcing mode.
(cherry picked from commit ce53382ba28179d3a504b29b4f888b6e130d53f0)

diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 0a43458d7815011a5730f98d4fea65c320e7c443..8bf1fcc3427469e6cc3c5b6a9af71c879854d82d 100644 (file)
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -296,10 +296,12 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
                                virDomainDefPtr vm)
 {
     if (vm->seclabel.type == VIR_DOMAIN_SECLABEL_DEFAULT) {
-        if (mgr->defaultConfined)
+        if (mgr->defaultConfined) {
             vm->seclabel.type = VIR_DOMAIN_SECLABEL_DYNAMIC;
-        else
+        } else {
             vm->seclabel.type = VIR_DOMAIN_SECLABEL_NONE;
+            vm->seclabel.norelabel = true;
+        }
     }
 
     if ((vm->seclabel.type == VIR_DOMAIN_SECLABEL_NONE) &&