From 2983dd44c5106bfdb0d7d5e4d3a9d40678441f2e Mon Sep 17 00:00:00 2001 From: Peter Krempa Date: Fri, 2 Aug 2024 15:23:41 +0200 Subject: [PATCH] virSecuritySELinuxRestoreImageLabelInt: Move FD image relabeling after 'migrated' check Reorganize the code so that the 'migrated' flag isn't checked multiple times and thus that it's more obvious what is happening when the 'migrated' flag is asserted. Signed-off-by: Peter Krempa Reviewed-by: Andrea Bolognani --- src/security/security_selinux.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index bfa48a5f72..453ac67d25 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1819,26 +1819,15 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManager *mgr, if (src->readonly || src->shared) return 0; - if (virStorageSourceIsFD(src)) { - if (migrated) - return 0; - - if (!src->fdtuple || - !src->fdtuple->selinuxLabel || - src->fdtuple->nfds == 0) - return 0; - - ignore_value(virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0], - src->fdtuple->selinuxLabel)); - return 0; - } - /* If we have a shared FS and are doing migration, we must not change * ownership, because that kills access on the destination host which is * sub-optimal for the guest VM's I/O attempts :-) */ if (migrated) { int rc = 1; + if (virStorageSourceIsFD(src)) + return 0; + if (virStorageSourceIsLocalStorage(src)) { if (!src->path) return 0; @@ -1854,6 +1843,17 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManager *mgr, } } + if (virStorageSourceIsFD(src)) { + if (!src->fdtuple || + !src->fdtuple->selinuxLabel || + src->fdtuple->nfds == 0) + return 0; + + ignore_value(virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0], + src->fdtuple->selinuxLabel)); + return 0; + } + /* This is not very clean. But so far we don't have NVMe * storage pool backend so that its chownCallback would be * called. And this place looks least offensive. */ -- 2.39.5