From: Jiri Denemark <jdenemar@redhat.com>
Date: Fri, 15 Jan 2016 15:34:37 +0000 (+0100)
Subject: security: Do not restore labels on device tree binary
X-Git-Tag: v1.3.1~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f0a15727fe04b9051010f793df3fb55e5e71f22;p=thirdparty%2Flibvirt.git

security: Do not restore labels on device tree binary

A device tree binary file specified by /domain/os/dtb element is a
read-only resource similar to kernel and initrd files. We shouldn't
restore its label when destroying a domain to avoid breaking other
domains configure with the same device tree.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 378b92210f..a09aba5f62 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1128,10 +1128,6 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
         virSecurityDACRestoreFileLabel(priv, def->os.loader->nvram) < 0)
         rc = -1;
 
-    if (def->os.dtb &&
-        virSecurityDACRestoreFileLabel(priv, def->os.dtb) < 0)
-        rc = -1;
-
     return rc;
 }
 
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 475cdbcf91..9e986350fb 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2034,10 +2034,6 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
         virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
         rc = -1;
 
-    if (def->os.dtb &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb) < 0)
-        rc = -1;
-
     return rc;
 }