From: Peter Krempa Date: Fri, 2 Aug 2024 13:23:41 +0000 (+0200) Subject: virSecuritySELinuxRestoreImageLabelInt: Move FD image relabeling after 'migrated... X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=2983dd44c5106bfdb0d7d5e4d3a9d40678441f2e;p=libvirt.git virSecuritySELinuxRestoreImageLabelInt: Move FD image relabeling after 'migrated' check Reorganize the code so that the 'migrated' flag isn't checked multiple times and thus that it's more obvious what is happening when the 'migrated' flag is asserted. Signed-off-by: Peter Krempa Reviewed-by: Andrea Bolognani --- diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index bfa48a5f72..453ac67d25 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1819,26 +1819,15 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManager *mgr, if (src->readonly || src->shared) return 0; - if (virStorageSourceIsFD(src)) { - if (migrated) - return 0; - - if (!src->fdtuple || - !src->fdtuple->selinuxLabel || - src->fdtuple->nfds == 0) - return 0; - - ignore_value(virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0], - src->fdtuple->selinuxLabel)); - return 0; - } - /* If we have a shared FS and are doing migration, we must not change * ownership, because that kills access on the destination host which is * sub-optimal for the guest VM's I/O attempts :-) */ if (migrated) { int rc = 1; + if (virStorageSourceIsFD(src)) + return 0; + if (virStorageSourceIsLocalStorage(src)) { if (!src->path) return 0; @@ -1854,6 +1843,17 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManager *mgr, } } + if (virStorageSourceIsFD(src)) { + if (!src->fdtuple || + !src->fdtuple->selinuxLabel || + src->fdtuple->nfds == 0) + return 0; + + ignore_value(virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0], + src->fdtuple->selinuxLabel)); + return 0; + } + /* This is not very clean. But so far we don't have NVMe * storage pool backend so that its chownCallback would be * called. And this place looks least offensive. */