Signed-off-by: Nikolai Barybin <nikolai.barybin@virtuozzo.com>
---
 src/security/security_selinux.c | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 18daa521d1..05e24ff11b 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1934,8 +1934,16 @@ virSecuritySELinuxRestoreImageLabel(virSecurityManager *mgr,
                                     virStorageSource *src,
                                     virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
 {
-    return virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
-                                                  def, src, false);
+    if (virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+                                               def, src, false) < 0)
+        return -1;
+
+    if (src->dataFileStore &&
+        virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+                                               def, src->dataFileStore, false) < 0)
+        return -1;
+
+    return 0;
 }
 
 
@@ -2067,6 +2075,14 @@ virSecuritySELinuxSetImageLabel(virSecurityManager *mgr,
                                                     isChainTop) < 0)
             return -1;
 
+        /* Unlike backing images, data files are not designed to be shared by
+         * anyone. Thus, we always consider them as chain top. */
+        if (n->dataFileStore &&
+            virSecuritySELinuxSetImageLabelInternal(mgr, sharedFilesystems,
+                                                    def, n->dataFileStore, parent,
+                                                    true) < 0)
+            return -1;
+
         if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
             break;
 
@@ -2929,6 +2945,13 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
                                                    def, disk->src,
                                                    migrated) < 0)
             rc = -1;
+
+        if (disk->src->dataFileStore &&
+            virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+                                                   def, disk->src->dataFileStore,
+                                                   migrated) < 0)
+            rc = -1;
+
     }
 
     for (i = 0; i < def->nhostdevs; i++) {
-- 
2.43.5

On Wed, Nov 20, 2024 at 18:48:44 +0300, Nikolai Barybin via Devel wrote:
> Signed-off-by: Nikolai Barybin <nikolai.barybin@virtuozzo.com>
> ---
>  src/security/security_selinux.c | 27 +++++++++++++++++++++++++--
>  1 file changed, 25 insertions(+), 2 deletions(-)

[...]

> @@ -2067,6 +2075,14 @@ virSecuritySELinuxSetImageLabel(virSecurityManager *mgr,
>                                                      isChainTop) < 0)
>              return -1;
>  
> +        /* Unlike backing images, data files are not designed to be shared by
> +         * anyone. Thus, we always consider them as chain top. */
> +        if (n->dataFileStore &&
> +            virSecuritySELinuxSetImageLabelInternal(mgr, sharedFilesystems,
> +                                                    def, n->dataFileStore, parent,
> +                                                    true) < 0)

Inside this function there's code which picks which label gets applied,
the code applies RW labels if the active element is equal to 'parent'.

This needs to be extended to also consider 'parent->dataFileStore' so
that the data-file images are labelled RW.

On Wed, Nov 20, 2024 at 18:48:44 +0300, Nikolai Barybin via Devel wrote:
> Signed-off-by: Nikolai Barybin <nikolai.barybin@virtuozzo.com>
> ---
>  src/security/security_selinux.c | 27 +++++++++++++++++++++++++--
>  1 file changed, 25 insertions(+), 2 deletions(-)

Reviewed-by: Peter Krempa <pkrempa@redhat.com>