Re: [libvirt] [PATCH v2 3/5] Add two new security label types
Not sure if related, but after syncing libvirt to latest master branch I see following errors: 2012-02-04 10:38:00.119+: 18828: error : virSecurityLabelDefParseXML:2646 : XML error: security label is missing 2012-02-04 10:38:00.129+: 18828: error : virSecurityLabelDefParseXML:2646 : XML error: security label is missing And virt-manager does not want to start anymore. Is this backward-compatibility related issue? Thanks, Ansis On Wed, Feb 1, 2012 at 8:27 PM, Eric Blake ebl...@redhat.com wrote: On 01/25/2012 07:12 AM, Daniel P. Berrange wrote: From: Daniel P. Berrange berra...@redhat.com Curently security labels can be of type 'dynamic' or 'static'. s/Curently/Currently/ If no security label is given, then 'dynamic' is assumed. The current code takes advantage of this default, and avoids even saving seclabel elements with type='dynamic' to disk. This means if you temporarily change security driver, the guests can all still start. With the introduction of sVirt to LXC though, there needs to be a new default of 'none' to allow unconfined LXC containers. This patch introduces two new security label types - default: the host configuration decides whether to run the guest with type 'none' or 'dynamic' at guest start - none: the guest will run unconfined by security policy The 'none' label type will obviously be undesirable for some deployments, so a new qemu.conf option allows a host admin to mandate confined guests. It is also possible to turn off default confinement security_default_confined = 1|0 (default == 1) security_require_confined = 1|0 (default == 0) * src/conf/domain_conf.c, src/conf/domain_conf.h: Add new seclabel types * src/security/security_manager.c, src/security/security_manager.h: Set default sec label types * src/security/security_selinux.c: Handle 'none' seclabel type * src/qemu/qemu.conf, src/qemu/qemu_conf.c, src/qemu/qemu_conf.h, src/qemu/libvirtd_qemu.aug: New security config options * src/qemu/qemu_driver.c: Tell security driver about default config --- docs/formatdomain.html.in | 24 + docs/schemas/domaincommon.rng |5 +++ po/POTFILES.in |1 + src/conf/domain_conf.c | 70 -- src/conf/domain_conf.h |2 + src/qemu/libvirtd_qemu.aug |2 + src/qemu/qemu.conf |8 src/qemu/qemu_conf.c| 11 ++ src/qemu/qemu_conf.h|2 + src/qemu/qemu_driver.c |7 +++- src/security/security_manager.c | 51 +--- src/security/security_manager.h |8 - src/security/security_selinux.c | 32 ++ tests/seclabeltest.c|2 +- 14 files changed, 177 insertions(+), 48 deletions(-) Just glancing at this diffstat, it looks like you hit my major concerns from v1 (https://www.redhat.com/archives/libvir-list/2012-January/msg00940.html) @@ -3484,10 +3484,11 @@ qemu-kvm -net nic,model=? /dev/null p The codeseclabel/code element allows control over the - operation of the security drivers. There are two basic - modes of operation, dynamic where libvirt automatically - generates a unique security label, or static where the - application/administrator chooses the labels. With dynamic + operation of the security drivers. There are three basic + modes of operation, 'dynamic' where libvirt automatically + generates a unique security label, 'static' where the + application/administrator chooses the labels, or 'none' + where confinement is disabled. With dynamic label generation, libvirt will always automatically relabel any resources associated with the virtual machine. With static label assignment, by default, the administrator Probably want to also document with a span class=since that 'none' was introduced in 0.9.10. @@ -3515,9 +3516,18 @@ qemu-kvm -net nic,model=? /dev/null lt;seclabel type='static' model='selinux' relabel='yes'gt; lt;labelgt;system_u:system_r:svirt_t:s0:c392,c662lt;/labelgt; lt;/seclabelgt; + + lt;seclabel type='none'/gt; /pre p + If no 'type' attribute is provided in the input XML, then + the security driver default setting will be used, which + may be either 'none' or 'static'. Actually, it is either 'none' or 'dynamic'; the only way to get 'static' is with explicit type attribute. @@ -2591,12 +2602,15 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def, def-imagelabel = p; } -/* Only parse baselabel, for dynamic label */ -if (def-type == VIR_DOMAIN_SECLABEL_DYNAMIC) { +/* Only parse baselabel, for dynamic or none label types */ +if (def-type == VIR_DOMAIN_SECLABEL_DYNAMIC || +
Re: [libvirt] [PATCH v2 3/5] Add two new security label types
[please don't top-post on technical lists] On 02/04/2012 03:43 AM, Ansis Atteka wrote: Not sure if related, but after syncing libvirt to latest master branch I see following errors: 2012-02-04 10:38:00.119+: 18828: error : virSecurityLabelDefParseXML:2646 : XML error: security label is missing 2012-02-04 10:38:00.129+: 18828: error : virSecurityLabelDefParseXML:2646 : XML error: security label is missing And virt-manager does not want to start anymore. Is this backward-compatibility related issue? Probably a bug in our parser that needs fixing. I haven't yet been able to reproduce it, though, so I need to know more about your setup. Is your domain running or inactive when you get that message? Can you post the domain's XML (here, looking at /etc/libvirt/qemu/dom.xml and /var/run/libvirt/qemu/dom.xml might be appropriate)? -- Eric Blake ebl...@redhat.com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2 3/5] Add two new security label types
On 02/04/2012 06:17 AM, Eric Blake wrote: On 02/04/2012 03:43 AM, Ansis Atteka wrote: Not sure if related, but after syncing libvirt to latest master branch I see following errors: 2012-02-04 10:38:00.119+: 18828: error : virSecurityLabelDefParseXML:2646 : XML error: security label is missing 2012-02-04 10:38:00.129+: 18828: error : virSecurityLabelDefParseXML:2646 : XML error: security label is missing And virt-manager does not want to start anymore. Is this backward-compatibility related issue? Probably a bug in our parser that needs fixing. I haven't yet been able to reproduce it, though, so I need to know more about your setup. Actually, I just reproduced it. I changed an offline domain to have seclabel type='none'/, started the domain, then restarted libvirtd. I also see a problem where dumpxml doesn't revalidate under our RNG schema. I'm preparing a patch. -- Eric Blake ebl...@redhat.com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [virt-tools-list] Provision through virt-manager not supported on para-virtualized Xen?
On 02/02/2012 10:53 AM, Cheer Xiao wrote: 2012/2/2 Cole Robinson crobi...@redhat.com: ... [snip] ... Okay, libvirt is detecting things correctly. So why is virt-manager confused? Using that capabilities output works for me. What virt-manager version are you using? Can you run virt-manager with --debug, connect to xen, open the 'new vm' wizard that shows the error, and post the debug output here? The ouput is pasted. I also made a screenshot and uploaded to [1]. And another unrelated question: does the output says virt-manager uses HAL for physical network interface management? I suppose HAL is obsolete... blackie% virt-manager --version 0.9.0 blackie% virt-manager --debug 2012-02-02 23:49:04,992 (cli:71): virt-manager startup 2012-02-02 23:49:04,992 (virt-manager:292): Launched as: /usr/share/virt-manager/virt-manager.py --debug 2012-02-02 23:49:04,993 (virt-manager:293): GTK version: (2, 24, 9) 2012-02-02 23:49:04,993 (virt-manager:294): virtManager import: module 'virtManager' from '/usr/share/virt-manager/virtManager/__init__.py' 2012-02-02 23:49:05,116 (keyring:30): gnomekeyring bindings not installed, no keyring support 2012-02-02 23:49:05,391 (engine:555): No inspection thread because libguestfs is too old, not available, or libvirt is not thread safe. 2012-02-02 23:49:05,396 (engine:346): About to connect to uris ['xen+ssh://lux-003/', 'xen+ssh://major/', 'xen+ssh://lux-002/', 'qemu:///system'] 2012-02-02 23:49:05,555 (engine:471): window counter incremented to 1 2012-02-02 23:49:14,633 (connection:954): Scheduling background open thread for xen+ssh://lux-002/ 2012-02-02 23:49:14,633 (connection:1140): Background 'open connection' thread is running 2012-02-02 23:49:16,082 (connection:1168): Background open thread complete, scheduling notify 2012-02-02 23:49:16,082 (connection:1173): Notifying open result 2012-02-02 23:49:18,120 (connection:1180): xen+ssh://lux-002/ capabilities: capabilities host cpu archi686/arch features pae/ /features /cpu migration_features live/ uri_transports uri_transportxenmigr/uri_transport /uri_transports /migration_features topology cells num='1' cell id='0' cpus num='4' cpu id='0'/ cpu id='1'/ cpu id='2'/ cpu id='3'/ /cpus /cell /cells /topology /host guest os_typexen/os_type arch name='i686' wordsize32/wordsize emulator/usr/lib/xen/bin/qemu-dm/emulator machinexenpv/machine domain type='xen' /domain /arch features pae/ /features /guest /capabilities 2012-02-02 23:49:20,336 (connection:514): Connection doesn't seem to support interface APIs. Skipping all interface polling. 2012-02-02 23:49:27,777 (connection:570): Connection managed save support: False 2012-02-02 23:49:28,877 (halhelper:133): Unable to connect to HAL to list network devices: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Hal was not provided by any .service files 2012-02-02 23:49:28,877 (connection:157): Libvirt version does not support physical interface listing 2012-02-02 23:49:28,879 (connection:200): Using libvirt API for mediadev enumeration 2012-02-02 23:49:55,510 (create:832): Guest type set to os_type=xen, arch=i686, dom_type=xen 1. http://ftp.tuna.tsinghua.edu.cn/xiaqs/screenshot-new-vm.png Okay, none of that indicates why it isn't working. I can't reproduce using your capabilities output and virt-manager 0.9.0 either (though I hacked it in so I could have missed a detail). Can you try with current upstream? git clone git://git.fedorahosted.org/virt-manager.git git clone git://git.fedorahosted.org/python-virtinst.git cd python-virtinst python setup.py build cd ../virt-manager ./autogen.sh ./configure make -j4 # Then after you can launch virt-manager with PYTHONPATH=../python-virtinst python src/virt-manager.py --debug See if you can reproduce, and if so please provide debug output and we can go from there. - Cole -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH] seclabel: make code and RNG match
Commit b170eb99 introduced a bug: domains that had an explicit seclabel type='none'/ when started would not be reparsed if libvirtd restarted. It turns out that our testsuite was not exercising this because it never tried anything but inactive parsing. Additionally, the live XML for such a domain failed to re-validate. Applying just the tests/ portion of this patch will expose the bugs that are fixed by the other two files. * docs/schemas/domaincommon.rng (seclabel): Allow relabel under type='none'. * src/conf/domain_conf.c (virSecurityLabelDefParseXML): Per RNG, presence of seclabel with no type implies dynamic. Don't require sub-elements for type='none'. * tests/qemuxml2xmltest.c (mymain): Add test. * tests/qemuxml2argvtest.c (mymain): Likewise. * tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.xml: Add file. * tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.args: Add file. Reported by Ansis Atteka. --- docs/schemas/domaincommon.rng |6 +++ src/conf/domain_conf.c | 40 +--- .../qemuxml2argv-seclabel-none.args|4 ++ .../qemuxml2argv-seclabel-none.xml | 26 + tests/qemuxml2argvtest.c |1 + tests/qemuxml2xmltest.c| 29 +- 6 files changed, 74 insertions(+), 32 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.xml diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 8111045..724d7d0 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -130,9 +130,15 @@ /interleave /group group + !-- with none, relabel must be no if present -- attribute name='type' valuenone/value /attribute + optional +attribute name='relabel' + valueno/value +/attribute + /optional /group /choice /element diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index aa4b32d..6949ece 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -2583,17 +2583,15 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def, p = virXPathStringLimit(string(./seclabel/@type), VIR_SECURITY_LABEL_BUFLEN-1, ctxt); if (p == NULL) { -virDomainReportError(VIR_ERR_XML_ERROR, - %s, _(missing security type)); -goto error; -} - -def-type = virDomainSeclabelTypeFromString(p); -VIR_FREE(p); -if (def-type = 0) { -virDomainReportError(VIR_ERR_XML_ERROR, - %s, _(invalid security type)); -goto error; +def-type = VIR_DOMAIN_SECLABEL_DYNAMIC; +} else { +def-type = virDomainSeclabelTypeFromString(p); +VIR_FREE(p); +if (def-type = 0) { +virDomainReportError(VIR_ERR_XML_ERROR, + %s, _(invalid security type)); +goto error; +} } p = virXPathStringLimit(string(./seclabel/@relabel), @@ -2634,7 +2632,8 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def, * if the 'live' VM XML is requested */ if (def-type == VIR_DOMAIN_SECLABEL_STATIC || -!(flags VIR_DOMAIN_XML_INACTIVE)) { +(!(flags VIR_DOMAIN_XML_INACTIVE) + def-type != VIR_DOMAIN_SECLABEL_NONE)) { p = virXPathStringLimit(string(./seclabel/label[1]), VIR_SECURITY_LABEL_BUFLEN-1, ctxt); if (p == NULL) { @@ -2648,7 +2647,8 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def, /* Only parse imagelabel, if requested live XML with relabeling */ if (!def-norelabel -!(flags VIR_DOMAIN_XML_INACTIVE)) { +(!(flags VIR_DOMAIN_XML_INACTIVE) + def-type != VIR_DOMAIN_SECLABEL_NONE)) { p = virXPathStringLimit(string(./seclabel/imagelabel[1]), VIR_SECURITY_LABEL_BUFLEN-1, ctxt); if (p == NULL) { @@ -2659,16 +2659,11 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def, def-imagelabel = p; } -/* Only parse baselabel, for dynamic or none label types */ -if (def-type == VIR_DOMAIN_SECLABEL_DYNAMIC || -def-type == VIR_DOMAIN_SECLABEL_NONE) { +/* Only parse baselabel for dynamic label type */ +if (def-type == VIR_DOMAIN_SECLABEL_DYNAMIC) { p = virXPathStringLimit(string(./seclabel/baselabel[1]), VIR_SECURITY_LABEL_BUFLEN-1, ctxt); -if (p != NULL) { -def-baselabel = p; -/* Forces none type to dynamic for back compat */ -def-type = VIR_DOMAIN_SECLABEL_DYNAMIC; -} +def-baselabel = p; } /* Only parse model, if static labelling, or a
Re: [libvirt] [PATCH 1/2 v3] Python: Refactoring virTypedParameter conversion for NUMA tuning APIs
On 02/03/2012 01:48 AM, Eric Blake wrote: On 01/28/2012 07:53 AM, Guannan Ren wrote: *virDomainSetNumaParameters *virDomainGetNumaParameters --- python/Makefile.am |4 +- python/libvirt-override-api.xml | 13 ++ python/libvirt-override.c | 314 +++ 3 files changed, 330 insertions(+), 1 deletions(-) diff --git a/python/Makefile.am b/python/Makefile.am index 3068eee..4302fa5 100644 --- a/python/Makefile.am +++ b/python/Makefile.am @@ -8,6 +8,8 @@ SUBDIRS= . tests INCLUDES = \ $(PYTHON_INCLUDES) \ -I$(top_srcdir)/include \ +-I$(top_srcdir)/src \ +-I$(top_srcdir)/gnulib/lib \ Hmm, you converted TAB to space. -I$(top_builddir)/include \ Also, since gnulib has some directly-supplied headers (srcdir) and some generated headers (builddir), we really should be using both locations so as not to break VPATH. -I$(top_builddir)/$(subdir) \ $(GETTEXT_CPPFLAGS) @@ -42,7 +44,7 @@ all-local: libvirt.py libvirt_qemu.py pyexec_LTLIBRARIES = libvirtmod.la libvirtmod_qemu.la -libvirtmod_la_SOURCES = libvirt-override.c typewrappers.c +libvirtmod_la_SOURCES = libvirt-override.c typewrappers.c ../src/util/virtypedparam.c I'm not sure I like this. Rather than pulling in just one or two source files, we should probably instead figure out how to directly link against the libvirt_util library and have all of the functions available. This would also make it possible to use VIR_FREE and friends (at which point, we should disable the syntax-check exceptions currently in effect on the python files). I think I will do a preliminary patch, which does _just_ the makefile work to pull in the use of libvirt_util, then we can rebase this patch on top of that one. I know Alex Jia was also complaining about the inability to use normal libvirt conventions, because the Makefile wasn't yet set up for it, so this will be a good move overall. +function name='virDomainSetNumaParameters' file='python' +infoChange the NUMA tunables/info +return type='int' info='-1 in case of error, 0 in case of success.'/ +arg name='domain' type='virDomainPtr' info='pointer to domain object'/ +arg name='params' type='virTypedParameterPtr' info='pointer to numa tunable objects'/ Is th is type correct, or can it be any python dictionary type that maps valid numa tunable parameter names to values? +arg name='flags' type='int' info='an ORapos;ed set of virDomainModificationImpact'/ +/function +function name='virDomainGetNumaParameters' file='python' +infoGet the NUMA parameters/info +return type='int' info='returns a dictionary of params in case of success, -1 in case of error'/ The return type should be a python object - a dictionary on success, PyNone on failure where libvirt populated an error message, or NULL on a python exception. +++ b/python/libvirt-override.c @@ -21,6 +21,7 @@ #include libvirt/virterror.h #include typewrappers.h #include libvirt.h +#include util/virtypedparam.h Hmm, the rest of our code sets up INCLUDES so that we can use just virtypedparam.h instead of util/virtypedparam.h; another thing for me to do in pulling out the infrastructure into a preliminary patch. #ifndef __CYGWIN__ extern void initlibvirtmod(void); @@ -61,6 +62,208 @@ static char *py_str(PyObject *obj) return PyString_AsString(str); } +/* Two helper functions to help the conversions between C to Python + * for the virTypedParameter used in the following APIs. */ +static PyObject * +getPyVirTypedParameter(virTypedParameterPtr params, int nparams) +{ +PyObject *info; +PyObject *key, *val; +PyObject *ret = NULL; +int i; + +if (!params) +return ret; If we return NULL, we should ensure that there is a valid python exception object ready for the caller to access. I'm thinking it might be better to mark this function with ATTRIBUTE_NONNULL(1) to avoid worrying about whether the caller has properly generated a python exception before passing us NULL. Hi Eric I saw your comments about the nonnull attribute usage as follows http://gcc.gnu.org/bugzilla/show_bug.cgi?id=17308 I am not clear about it is still helpful to use it here? Guannan Ren -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] Fwd: oVirt Beijing - March 21st
Original Message Subject: oVirt Beijing - March 21st Date: Fri, 03 Feb 2012 15:52:41 -0500 From: Carl Trieloff cctriel...@redhat.com Spread the word/ come join us! http://www.ovirt.org/news-and-events/workshop/ Carl -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] seclabel: make code and RNG match
Hmm, this patch does not seem to fix my issue. See the both xml files in the attachment. On Sat, Feb 4, 2012 at 4:10 PM, Eric Blake ebl...@redhat.com wrote: Commit b170eb99 introduced a bug: domains that had an explicit seclabel type='none'/ when started would not be reparsed if libvirtd restarted. It turns out that our testsuite was not exercising this because it never tried anything but inactive parsing. Additionally, the live XML for such a domain failed to re-validate. Applying just the tests/ portion of this patch will expose the bugs that are fixed by the other two files. * docs/schemas/domaincommon.rng (seclabel): Allow relabel under type='none'. * src/conf/domain_conf.c (virSecurityLabelDefParseXML): Per RNG, presence of seclabel with no type implies dynamic. Don't require sub-elements for type='none'. * tests/qemuxml2xmltest.c (mymain): Add test. * tests/qemuxml2argvtest.c (mymain): Likewise. * tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.xml: Add file. * tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.args: Add file. Reported by Ansis Atteka. --- docs/schemas/domaincommon.rng |6 +++ src/conf/domain_conf.c | 40 +--- .../qemuxml2argv-seclabel-none.args|4 ++ .../qemuxml2argv-seclabel-none.xml | 26 + tests/qemuxml2argvtest.c |1 + tests/qemuxml2xmltest.c| 29 +- 6 files changed, 74 insertions(+), 32 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.xml diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 8111045..724d7d0 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -130,9 +130,15 @@ /interleave /group group + !-- with none, relabel must be no if present -- attribute name='type' valuenone/value /attribute + optional +attribute name='relabel' + valueno/value +/attribute + /optional /group /choice /element diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index aa4b32d..6949ece 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -2583,17 +2583,15 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def, p = virXPathStringLimit(string(./seclabel/@type), VIR_SECURITY_LABEL_BUFLEN-1, ctxt); if (p == NULL) { -virDomainReportError(VIR_ERR_XML_ERROR, - %s, _(missing security type)); -goto error; -} - -def-type = virDomainSeclabelTypeFromString(p); -VIR_FREE(p); -if (def-type = 0) { -virDomainReportError(VIR_ERR_XML_ERROR, - %s, _(invalid security type)); -goto error; +def-type = VIR_DOMAIN_SECLABEL_DYNAMIC; +} else { +def-type = virDomainSeclabelTypeFromString(p); +VIR_FREE(p); +if (def-type = 0) { +virDomainReportError(VIR_ERR_XML_ERROR, + %s, _(invalid security type)); +goto error; +} } p = virXPathStringLimit(string(./seclabel/@relabel), @@ -2634,7 +2632,8 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def, * if the 'live' VM XML is requested */ if (def-type == VIR_DOMAIN_SECLABEL_STATIC || -!(flags VIR_DOMAIN_XML_INACTIVE)) { +(!(flags VIR_DOMAIN_XML_INACTIVE) + def-type != VIR_DOMAIN_SECLABEL_NONE)) { p = virXPathStringLimit(string(./seclabel/label[1]), VIR_SECURITY_LABEL_BUFLEN-1, ctxt); if (p == NULL) { @@ -2648,7 +2647,8 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def, /* Only parse imagelabel, if requested live XML with relabeling */ if (!def-norelabel -!(flags VIR_DOMAIN_XML_INACTIVE)) { +(!(flags VIR_DOMAIN_XML_INACTIVE) + def-type != VIR_DOMAIN_SECLABEL_NONE)) { p = virXPathStringLimit(string(./seclabel/imagelabel[1]), VIR_SECURITY_LABEL_BUFLEN-1, ctxt); if (p == NULL) { @@ -2659,16 +2659,11 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def, def-imagelabel = p; } -/* Only parse baselabel, for dynamic or none label types */ -if (def-type == VIR_DOMAIN_SECLABEL_DYNAMIC || -def-type == VIR_DOMAIN_SECLABEL_NONE) { +/* Only parse baselabel for dynamic label type */ +if (def-type == VIR_DOMAIN_SECLABEL_DYNAMIC) { p = virXPathStringLimit(string(./seclabel/baselabel[1]), VIR_SECURITY_LABEL_BUFLEN-1, ctxt); -if (p != NULL) { -