From nobody Mon Feb 9 17:06:23 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1607509702; cv=none; d=zohomail.com; s=zohoarc; b=Ohi++t0dr/2B4xdx9FMRA8YkqLSjOFCTg5CDF8tJ9OzC5T9IroXenSwitpbHbw0BzSntlkjV5HEttLvM4uj1SDAaqIMteT73fHe5qYw6k7M9HaUXmqofKN3buhD3u/drJXWT4czqNujHxH8MP5Ma+ufJnNjOTI7tSvL72ZzmYIY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1607509702; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=YYhKUlZJCImY/ZEuVrADpzWvMNmpKShAjVHM9xhUkIU=; b=R3jpbE8AVjUz6vdjsupgnN4jWuS795rpBWH1sQLsTp8sfp7VmrfSBaC55agfj5fSwKcDrRscSRPl0M6FESh6CeS4GWFCnNcvlKhBRJrOyfJB3VJlHlM8npv0DoAjYi96MDQ8ObAZ+i3t5of1NRDNg7iK2bsqlKa+gcvvvOlqD54= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1607509702980914.5664312307665; Wed, 9 Dec 2020 02:28:22 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-458-dLegsxBEOvyjgPsG9pzLFw-1; Wed, 09 Dec 2020 05:28:19 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A3A26802B42; Wed, 9 Dec 2020 10:28:13 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C80281001901; Wed, 9 Dec 2020 10:28:09 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CE828180954D; Wed, 9 Dec 2020 10:28:01 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0B9AQx8j002814 for ; Wed, 9 Dec 2020 05:26:59 -0500 Received: by smtp.corp.redhat.com (Postfix) id 6114D5C23A; Wed, 9 Dec 2020 10:26:59 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.193.169]) by smtp.corp.redhat.com (Postfix) with ESMTP id D69DA5C234 for ; Wed, 9 Dec 2020 10:26:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607509701; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=YYhKUlZJCImY/ZEuVrADpzWvMNmpKShAjVHM9xhUkIU=; b=VKLclAqFsfCChvKX5baES/xBIkNd7apcNqD3EZlF3rRH5SGFFxWss5cL8RcCGlpn5lK4vh tKgC+A0X5+uYRTxiVHPSaKj5t5av4oOa1VQwqZZab/2/ifwZhbjlIs+6nkIOx+Wjwd5J7L +OEvE2gD1bDx2gV3u0w2tG31vtsjdmc= X-MC-Unique: dLegsxBEOvyjgPsG9pzLFw-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH] qemu_process: Release domain seclabel later in qemuProcessStop() Date: Wed, 9 Dec 2020 11:26:52 +0100 Message-Id: <295a1855444049419e2329379a85f38d59b29807.1607509606.git.mprivozn@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Some secdrivers (typically SELinux driver) generate unique dynamic seclabel for each domain (unless a static one is requested in domain XML). This is achieved by calling qemuSecurityGenLabel() from qemuProcessPrepareDomain() which allocates unique seclabel and stores it in domain def->seclabels. The counterpart is qemuSecurityReleaseLabel() which releases the label and removes it from def->seclabels. Problem is, that with current code the qemuProcessStop() may still want to use the seclabel after it was released, e.g. when it wants to restore the label of a disk mirror. What is happening now, is that in qemuProcessStop() the qemuSecurityReleaseLabel() is called, which removes the SELinux seclabel from def->seclabels, yada yada yada and eventually qemuSecurityRestoreImageLabel() is called. This bubbles down to virSecuritySELinuxRestoreImageLabelSingle() which find no SELinux seclabel (using virDomainDefGetSecurityLabelDef()) and this returns early doing nothing. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1751664 Fixes: 8fa0374c5b8e834fcbdeae674cc6cc9e6bf9019f Signed-off-by: Michal Privoznik Reviewed-by: Daniel P. Berrang=C3=A9 --- src/qemu/qemu_process.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 3b64caa619..15cf8cb666 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -7702,8 +7702,6 @@ void qemuProcessStop(virQEMUDriverPtr driver, qemuSecurityRestoreAllLabel(driver, vm, !!(flags & VIR_QEMU_PROCESS_STOP_MIGRA= TED)); =20 - qemuSecurityReleaseLabel(driver->securityManager, vm->def); - for (i =3D 0; i < vm->def->ndisks; i++) { virDomainDeviceDef dev; virDomainDiskDefPtr disk =3D vm->def->disks[i]; @@ -7891,6 +7889,8 @@ void qemuProcessStop(virQEMUDriverPtr driver, } } =20 + qemuSecurityReleaseLabel(driver->securityManager, vm->def); + /* clear all private data entries which are no longer needed */ qemuDomainObjPrivateDataClear(priv); =20 --=20 2.26.2