Signed-off-by: Nikolai Barybin <nikolai.barybin@virtuozzo.com>
---
src/security/security_selinux.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 18daa521d1..05e24ff11b 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1934,8 +1934,16 @@ virSecuritySELinuxRestoreImageLabel(virSecurityManager *mgr,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
{
- return virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
- def, src, false);
+ if (virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+ def, src, false) < 0)
+ return -1;
+
+ if (src->dataFileStore &&
+ virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+ def, src->dataFileStore, false) < 0)
+ return -1;
+
+ return 0;
}
@@ -2067,6 +2075,14 @@ virSecuritySELinuxSetImageLabel(virSecurityManager *mgr,
isChainTop) < 0)
return -1;
+ /* Unlike backing images, data files are not designed to be shared by
+ * anyone. Thus, we always consider them as chain top. */
+ if (n->dataFileStore &&
+ virSecuritySELinuxSetImageLabelInternal(mgr, sharedFilesystems,
+ def, n->dataFileStore, parent,
+ true) < 0)
+ return -1;
+
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
break;
@@ -2929,6 +2945,13 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
def, disk->src,
migrated) < 0)
rc = -1;
+
+ if (disk->src->dataFileStore &&
+ virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+ def, disk->src->dataFileStore,
+ migrated) < 0)
+ rc = -1;
+
}
for (i = 0; i < def->nhostdevs; i++) {
--
2.43.5