From 2ce63c161111c6d813130f850639d1548d80c3fe Mon Sep 17 00:00:00 2001
From: Peter Krempa <pkrempa@redhat.com>
Date: Tue, 2 Jul 2013 18:34:58 +0200
Subject: [PATCH] selinux: Always generate imagelabel

The imagelabel SELinux label was only generated when relabeling was
enabled. This prohibited labeling of files created by libvirt that need
to be labeled even if relabeling is turned off.

The only codepath this change has direct impact on is labeling of FDs
passed to qemu which is always safe in current state.
---
 src/security/security_selinux.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ec4f764e4a..d7c978dbea 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -687,13 +687,12 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
         goto cleanup;
     }
 
-    if (!seclabel->norelabel) {
-        seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context,
-                                                               mcs,
-                                                               true);
-        if (!seclabel->imagelabel)
-            goto cleanup;
-    }
+    /* always generate a image label, needed to label new objects */
+    seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->file_context,
+                                                           mcs,
+                                                           true);
+    if (!seclabel->imagelabel)
+        goto cleanup;
 
     if (!seclabel->model &&
         VIR_STRDUP(seclabel->model, SECURITY_SELINUX_NAME) < 0)