selinux: properly label tap FDs with imagelabel

The cleanup in commit cf976d9d used secdef->label to label the tap
FDs, but that is not possible since it's process-only label (svirt_t)
and not a object label (e.g. svirt_image_t).  Starting a domain failed
with EPERM, but simply using secdef->imagelabel instead of
secdef->label fixes it.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 5d184935c5840f82f8ff0cc5e51e1d3f0a5334b1..e8c13dbba294ef54c674be41731c6b49373dc39e 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2340,7 +2340,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     if (!secdef || !secdef->label)
         return 0;
 
-    return virSecuritySELinuxFSetFilecon(fd, secdef->label);
+    return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel);
 }
 
 static char *