From a4431931393aeb1ac5893f121151fa3df4fde612 Mon Sep 17 00:00:00 2001
From: Martin Kletzander <mkletzan@redhat.com>
Date: Mon, 1 Sep 2014 15:27:00 +0200
Subject: [PATCH] selinux: properly label tap FDs with imagelabel

The cleanup in commit cf976d9d used secdef->label to label the tap
FDs, but that is not possible since it's process-only label (svirt_t)
and not a object label (e.g. svirt_image_t).  Starting a domain failed
with EPERM, but simply using secdef->imagelabel instead of
secdef->label fixes it.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
---
 src/security/security_selinux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 5d184935c5..e8c13dbba2 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2340,7 +2340,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     if (!secdef || !secdef->label)
         return 0;
 
-    return virSecuritySELinuxFSetFilecon(fd, secdef->label);
+    return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel);
 }
 
 static char *
-- 
2.39.5