Commit dbf1f68410 ("security: do not remember/recall labels for VFIO")
rightly changed the DAC and SELinux labeling parameters to fix a problem
with "VFIO hostdevs" but really only addressed the PCI codepaths.
As a result, we can still encounter this with VFIO MDEVs such as
vfio-ccw and vfio-ap, which can fail on a hotplug:

  [test@host ~]# mdevctl stop -u 11f2d2bc-4083-431d-a023-eff72715c4f0
  [test@host ~]# mdevctl start -u 11f2d2bc-4083-431d-a023-eff72715c4f0
  [test@host ~]# cat disk.xml
    <hostdev mode='subsystem' type='mdev' model='vfio-ccw'>
      <source>
        <address uuid='11f2d2bc-4083-431d-a023-eff72715c4f0'/>
      </source>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x3c51'/>
    </hostdev>
  [test@host ~]# virsh attach-device guest ~/disk.xml
  error: Failed to attach device from /home/test/disk.xml
  error: Requested operation is not valid: Setting different SELinux label on /dev/vfio/3 which is already in use

Make the same changes as reported in commit dbf1f68410, for the mdev paths.

Reported-by: Matthew Rosato <mjrosato@linux.ibm.com>
Signed-off-by: Eric Farman <farman@linux.ibm.com>
---
 src/security/security_dac.c     | 4 ++--
 src/security/security_selinux.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 9be8f458d1..bceb6a5c24 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1310,7 +1310,7 @@ virSecurityDACSetHostdevLabel(virSecurityManager *mgr,
         if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
             return -1;
 
-        ret = virSecurityDACSetHostdevLabelHelper(vfiodev, true, &cbdata);
+        ret = virSecurityDACSetHostdevLabelHelper(vfiodev, false, &cbdata);
         break;
     }
 
@@ -1466,7 +1466,7 @@ virSecurityDACRestoreHostdevLabel(virSecurityManager *mgr,
         if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
             return -1;
 
-        ret = virSecurityDACRestoreFileLabel(mgr, vfiodev);
+        ret = virSecurityDACRestoreFileLabelInternal(mgr, NULL, vfiodev, false);
         break;
     }
 
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index e43962435f..9c23735aa3 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2217,7 +2217,7 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManager *mgr,
         if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
             return ret;
 
-        ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, true, &data);
+        ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, false, &data);
         break;
     }
 
@@ -2445,7 +2445,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManager *mgr,
         if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
             return -1;
 
-        ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, true);
+        ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, false);
         break;
     }
 
-- 
2.37.2

On 4/1/23 02:42, Eric Farman wrote:
> Commit dbf1f68410 ("security: do not remember/recall labels for VFIO")
> rightly changed the DAC and SELinux labeling parameters to fix a problem
> with "VFIO hostdevs" but really only addressed the PCI codepaths.
> As a result, we can still encounter this with VFIO MDEVs such as
> vfio-ccw and vfio-ap, which can fail on a hotplug:
> 
>   [test@host ~]# mdevctl stop -u 11f2d2bc-4083-431d-a023-eff72715c4f0
>   [test@host ~]# mdevctl start -u 11f2d2bc-4083-431d-a023-eff72715c4f0
>   [test@host ~]# cat disk.xml
>     <hostdev mode='subsystem' type='mdev' model='vfio-ccw'>
>       <source>
>         <address uuid='11f2d2bc-4083-431d-a023-eff72715c4f0'/>
>       </source>
>       <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x3c51'/>
>     </hostdev>
>   [test@host ~]# virsh attach-device guest ~/disk.xml
>   error: Failed to attach device from /home/test/disk.xml
>   error: Requested operation is not valid: Setting different SELinux label on /dev/vfio/3 which is already in use
> 
> Make the same changes as reported in commit dbf1f68410, for the mdev paths.
> 
> Reported-by: Matthew Rosato <mjrosato@linux.ibm.com>
> Signed-off-by: Eric Farman <farman@linux.ibm.com>
> ---
>  src/security/security_dac.c     | 4 ++--
>  src/security/security_selinux.c | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)

Oops, sorry for the delay. I marked for review when I saw this patch,
but then got side tracked and forgot about it.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

and pushed.

Michal

On Thu, 2023-04-13 at 16:35 +0200, Michal Prívozník wrote:
> On 4/1/23 02:42, Eric Farman wrote:
> > Commit dbf1f68410 ("security: do not remember/recall labels for
> > VFIO")
> > rightly changed the DAC and SELinux labeling parameters to fix a
> > problem
> > with "VFIO hostdevs" but really only addressed the PCI codepaths.
> > As a result, we can still encounter this with VFIO MDEVs such as
> > vfio-ccw and vfio-ap, which can fail on a hotplug:
> > 
> >   [test@host ~]# mdevctl stop -u 11f2d2bc-4083-431d-a023-
> > eff72715c4f0
> >   [test@host ~]# mdevctl start -u 11f2d2bc-4083-431d-a023-
> > eff72715c4f0
> >   [test@host ~]# cat disk.xml
> >     <hostdev mode='subsystem' type='mdev' model='vfio-ccw'>
> >       <source>
> >         <address uuid='11f2d2bc-4083-431d-a023-eff72715c4f0'/>
> >       </source>
> >       <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x3c51'/>
> >     </hostdev>
> >   [test@host ~]# virsh attach-device guest ~/disk.xml
> >   error: Failed to attach device from /home/test/disk.xml
> >   error: Requested operation is not valid: Setting different
> > SELinux label on /dev/vfio/3 which is already in use
> > 
> > Make the same changes as reported in commit dbf1f68410, for the
> > mdev paths.
> > 
> > Reported-by: Matthew Rosato <mjrosato@linux.ibm.com>
> > Signed-off-by: Eric Farman <farman@linux.ibm.com>
> > ---
> >  src/security/security_dac.c     | 4 ++--
> >  src/security/security_selinux.c | 4 ++--
> >  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> Oops, sorry for the delay. I marked for review when I saw this patch,
> but then got side tracked and forgot about it.

Not a problem; thank you for the review/push!

Eric

> 
> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
> 
> and pushed.
> 
> Michal
> 

On Sat, 2023-04-01 at 02:42 +0200, Eric Farman wrote:
> Commit dbf1f68410 ("security: do not remember/recall labels for
> VFIO")
> rightly changed the DAC and SELinux labeling parameters to fix a
> problem
> with "VFIO hostdevs" but really only addressed the PCI codepaths.
> As a result, we can still encounter this with VFIO MDEVs such as
> vfio-ccw and vfio-ap, which can fail on a hotplug:
> 
>   [test@host ~]# mdevctl stop -u 11f2d2bc-4083-431d-a023-eff72715c4f0
>   [test@host ~]# mdevctl start -u 11f2d2bc-4083-431d-a023-
> eff72715c4f0
>   [test@host ~]# cat disk.xml
>     <hostdev mode='subsystem' type='mdev' model='vfio-ccw'>
>       <source>
>         <address uuid='11f2d2bc-4083-431d-a023-eff72715c4f0'/>
>       </source>
>       <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x3c51'/>
>     </hostdev>
>   [test@host ~]# virsh attach-device guest ~/disk.xml
>   error: Failed to attach device from /home/test/disk.xml
>   error: Requested operation is not valid: Setting different SELinux
> label on /dev/vfio/3 which is already in use
> 
> Make the same changes as reported in commit dbf1f68410, for the mdev
> paths.
> 
> Reported-by: Matthew Rosato <mjrosato@linux.ibm.com>
> Signed-off-by: Eric Farman <farman@linux.ibm.com>

Ping? I'm hoping this just got lost between the release and the
holiday, but if there's some changes needed here I'm happy to work
through that. Thank you!

> ---
>  src/security/security_dac.c     | 4 ++--
>  src/security/security_selinux.c | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/src/security/security_dac.c
> b/src/security/security_dac.c
> index 9be8f458d1..bceb6a5c24 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -1310,7 +1310,7 @@
> virSecurityDACSetHostdevLabel(virSecurityManager *mgr,
>          if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc-
> >uuidstr)))
>              return -1;
>  
> -        ret = virSecurityDACSetHostdevLabelHelper(vfiodev, true,
> &cbdata);
> +        ret = virSecurityDACSetHostdevLabelHelper(vfiodev, false,
> &cbdata);
>          break;
>      }
>  
> @@ -1466,7 +1466,7 @@
> virSecurityDACRestoreHostdevLabel(virSecurityManager *mgr,
>          if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc-
> >uuidstr)))
>              return -1;
>  
> -        ret = virSecurityDACRestoreFileLabel(mgr, vfiodev);
> +        ret = virSecurityDACRestoreFileLabelInternal(mgr, NULL,
> vfiodev, false);
>          break;
>      }
>  
> diff --git a/src/security/security_selinux.c
> b/src/security/security_selinux.c
> index e43962435f..9c23735aa3 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -2217,7 +2217,7 @@
> virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManager *mgr,
>          if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc-
> >uuidstr)))
>              return ret;
>  
> -        ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, true,
> &data);
> +        ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev,
> false, &data);
>          break;
>      }
>  
> @@ -2445,7 +2445,7 @@
> virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManager *mgr,
>          if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc-
> >uuidstr)))
>              return -1;
>  
> -        ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev,
> true);
> +        ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev,
> false);
>          break;
>      }
>