Fix a failure to restore SELinux label for character devices

The code in SELinuxRestoreSecurityChardevLabel() was trying to
use SELinuxSetFilecon directly for devices or file types while
it should really use SELinuxRestoreSecurityFileLabel encapsulating
routine, which avoid various problems like resolving symlinks,
making sure he file exists and work around NFS problems

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 936a1a6b9b41d484a18d41b1e9825e347744b648..996177ac059468dcbab919e8a9e13ff0ebb4db0a 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -694,9 +694,10 @@ SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm,
     switch (dev->type) {
     case VIR_DOMAIN_CHR_TYPE_DEV:
     case VIR_DOMAIN_CHR_TYPE_FILE:
-        ret = SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel);
+        if (SELinuxRestoreSecurityFileLabel(dev->data.file.path) < 0)
+            goto done;
+        ret = 0;
         break;
-
     case VIR_DOMAIN_CHR_TYPE_PIPE:
         if ((virAsprintf(&out, "%s.out", dev->data.file.path) < 0) ||
             (virAsprintf(&in, "%s.in", dev->data.file.path) < 0)) {