From nobody Mon Feb 9 00:06:54 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556180450; cv=none; d=zoho.com; s=zohoarc; b=X+Lk4QLj9POGBfLDBg/Ffo8hCUsR41ImhE/tSzSefnohyXu87aSG8H269Fl+bAjcDS8cdWsrA4cNhyLXqFY121wUG8GxNdY8oh5BxbNUpj9APZqdaztuQ1utkPMF8+t+8zSbGB4qVIv5TlDNZevbaERPXRhWbW8lY4PTETb0Pqk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556180450; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=fmJFIgoc2SMB0qB3R4A6uV/JQStyrbhPHgpSs/IwOiw=; b=mGTQJD18CsdB9fq5TV09c35zUzpRNUcoNKuoVY+HGIjvO3rJWa1EBMF7XueC1UVJI06f00PBZM6QPodv9FM9wjH5/YsvCXwY3PYZVBuD+LaJ/crsTokRgn+Hpz4Jt+60HbyEBh1FBGpZfsBE4WsiEaclx9mviRDOoL3ICE9P5EA= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1556180450183994.5282526298832; Thu, 25 Apr 2019 01:20:50 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B69AC7F3F0; Thu, 25 Apr 2019 08:20:48 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7C22A1001E9E; Thu, 25 Apr 2019 08:20:48 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3D3B63FA51; Thu, 25 Apr 2019 08:20:48 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x3P8KKtg013937 for ; Thu, 25 Apr 2019 04:20:20 -0400 Received: by smtp.corp.redhat.com (Postfix) id 8EA4D60C99; Thu, 25 Apr 2019 08:20:20 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id E575160C8E for ; Thu, 25 Apr 2019 08:20:19 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Thu, 25 Apr 2019 10:19:52 +0200 Message-Id: <4ced0d08cdbc38246d56175902e62ebb16557877.1556179410.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v4 16/25] security_selinux: Allow caller to suppress owner remembering X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 25 Apr 2019 08:20:49 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Just like previous commit allowed to enable or disable owner remembering for each individual path, do the same for SELinux driver. This is going to be needed in the next commit. Signed-off-by: Michal Privoznik Reviewed-by: Cole Robinson Reviewed-by: Daniel P. Berrang=C3=A9 --- src/security/security_selinux.c | 163 ++++++++++++++++++-------------- 1 file changed, 94 insertions(+), 69 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 38f4e3afd8..3ac3b83e45 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -82,6 +82,7 @@ struct _virSecuritySELinuxContextItem { char *path; char *tcon; bool optional; + bool remember; /* Whether owner remembering should be done for @path/@= src */ bool restore; /* Whether current operation is 'set' or 'restore' */ }; =20 @@ -122,6 +123,7 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxC= ontextListPtr list, const char *path, const char *tcon, bool optional, + bool remember, bool restore) { int ret =3D -1; @@ -134,6 +136,7 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxC= ontextListPtr list, goto cleanup; =20 item->optional =3D optional; + item->remember =3D remember; item->restore =3D restore; =20 if (VIR_APPEND_ELEMENT(list->items, list->nItems, item) < 0) @@ -168,9 +171,12 @@ virSecuritySELinuxContextListFree(void *opaque) * @path: Path to chown * @tcon: target context * @optional: true if setting @tcon is optional + * @remember: if the original owner should be recorded/recalled * @restore: if current operation is set or restore * * Appends an entry onto transaction list. + * The @remember should be true if caller wishes to record/recall + * the original owner of @path/@src. * The @restore should be true if the operation is restoring * seclabel and false otherwise. * @@ -182,6 +188,7 @@ static int virSecuritySELinuxTransactionAppend(const char *path, const char *tcon, bool optional, + bool remember, bool restore) { virSecuritySELinuxContextListPtr list; @@ -190,7 +197,8 @@ virSecuritySELinuxTransactionAppend(const char *path, if (!list) return 0; =20 - if (virSecuritySELinuxContextListAppend(list, path, tcon, optional, re= store) < 0) + if (virSecuritySELinuxContextListAppend(list, path, tcon, + optional, remember, restore) <= 0) return -1; =20 return 1; @@ -276,17 +284,18 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_= UNUSED, rv =3D 0; for (i =3D 0; i < list->nItems; i++) { virSecuritySELinuxContextItemPtr item =3D list->items[i]; + const bool remember =3D item->remember && list->lock; =20 if (!item->restore) { rv =3D virSecuritySELinuxSetFileconHelper(list->manager, item->path, item->tcon, item->optional, - list->lock); + remember); } else { rv =3D virSecuritySELinuxRestoreFileLabel(list->manager, item->path, - list->lock); + remember); } =20 if (rv < 0) @@ -295,11 +304,12 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_= UNUSED, =20 for (; rv < 0 && i > 0; i--) { virSecuritySELinuxContextItemPtr item =3D list->items[i - 1]; + const bool remember =3D item->remember && list->lock; =20 if (!item->restore) { virSecuritySELinuxRestoreFileLabel(list->manager, item->path, - list->lock); + remember); } else { VIR_WARN("Ignoring failed restore attempt on %s", item->path); } @@ -1326,7 +1336,8 @@ virSecuritySELinuxSetFileconHelper(virSecurityManager= Ptr mgr, int rc; int ret =3D -1; =20 - if ((rc =3D virSecuritySELinuxTransactionAppend(path, tcon, optional, = false)) < 0) + if ((rc =3D virSecuritySELinuxTransactionAppend(path, tcon, + optional, remember, fals= e)) < 0) return -1; else if (rc > 0) return 0; @@ -1389,16 +1400,20 @@ virSecuritySELinuxSetFileconHelper(virSecurityManag= erPtr mgr, =20 static int virSecuritySELinuxSetFileconOptional(virSecurityManagerPtr mgr, - const char *path, const char *tcon) + const char *path, + const char *tcon, + bool remember) { - return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, true, false= ); + return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, true, remem= ber); } =20 static int virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr, - const char *path, const char *tcon) + const char *path, + const char *tcon, + bool remember) { - return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, false, fals= e); + return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, false, reme= mber); } =20 static int @@ -1484,7 +1499,8 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManager= Ptr mgr, goto cleanup; } =20 - if ((rc =3D virSecuritySELinuxTransactionAppend(path, NULL, false, tru= e)) < 0) { + if ((rc =3D virSecuritySELinuxTransactionAppend(path, NULL, + false, recall, true)) < = 0) { goto cleanup; } else if (rc > 0) { ret =3D 0; @@ -1545,7 +1561,7 @@ virSecuritySELinuxSetInputLabel(virSecurityManagerPtr= mgr, switch ((virDomainInputType)input->type) { case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH: if (virSecuritySELinuxSetFilecon(mgr, input->source.evdev, - seclabel->imagelabel) < 0) + seclabel->imagelabel, true) < 0) return -1; break; =20 @@ -1574,7 +1590,7 @@ virSecuritySELinuxRestoreInputLabel(virSecurityManage= rPtr mgr, =20 switch ((virDomainInputType)input->type) { case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH: - rc =3D virSecuritySELinuxRestoreFileLabel(mgr, input->source.evdev= , false); + rc =3D virSecuritySELinuxRestoreFileLabel(mgr, input->source.evdev= , true); break; =20 case VIR_DOMAIN_INPUT_TYPE_MOUSE: @@ -1602,7 +1618,7 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManagerPt= r mgr, return 0; =20 if (virSecuritySELinuxSetFilecon(mgr, mem->nvdimmPath, - seclabel->imagelabel) < 0) + seclabel->imagelabel, true) < 0) return -1; break; =20 @@ -1630,7 +1646,7 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManag= erPtr mgr, if (!seclabel || !seclabel->relabel) return 0; =20 - ret =3D virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, f= alse); + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, t= rue); break; =20 case VIR_DOMAIN_MEMORY_MODEL_DIMM: @@ -1661,14 +1677,14 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManage= rPtr mgr, switch (tpm->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: tpmdev =3D tpm->data.passthrough.source.data.file.path; - rc =3D virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagela= bel); + rc =3D virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagela= bel, true); if (rc < 0) return -1; =20 if ((cancel_path =3D virTPMCreateCancelPath(tpmdev)) !=3D NULL) { rc =3D virSecuritySELinuxSetFilecon(mgr, cancel_path, - seclabel->imagelabel); + seclabel->imagelabel, true); VIR_FREE(cancel_path); if (rc < 0) { virSecuritySELinuxRestoreTPMFileLabelInt(mgr, def, tpm); @@ -1680,7 +1696,7 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerP= tr mgr, break; case VIR_DOMAIN_TPM_TYPE_EMULATOR: tpmdev =3D tpm->data.emulator.source.data.nix.path; - rc =3D virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagela= bel); + rc =3D virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagela= bel, true); if (rc < 0) return -1; break; @@ -1709,10 +1725,10 @@ virSecuritySELinuxRestoreTPMFileLabelInt(virSecurit= yManagerPtr mgr, switch (tpm->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: tpmdev =3D tpm->data.passthrough.source.data.file.path; - rc =3D virSecuritySELinuxRestoreFileLabel(mgr, tpmdev, false); + rc =3D virSecuritySELinuxRestoreFileLabel(mgr, tpmdev, true); =20 if ((cancel_path =3D virTPMCreateCancelPath(tpmdev)) !=3D NULL) { - if (virSecuritySELinuxRestoreFileLabel(mgr, cancel_path, false= ) < 0) + if (virSecuritySELinuxRestoreFileLabel(mgr, cancel_path, true)= < 0) rc =3D -1; VIR_FREE(cancel_path); } @@ -1779,7 +1795,7 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityMan= agerPtr mgr, } } =20 - return virSecuritySELinuxRestoreFileLabel(mgr, src->path, false); + return virSecuritySELinuxRestoreFileLabel(mgr, src->path, true); } =20 =20 @@ -1822,32 +1838,38 @@ virSecuritySELinuxSetImageLabelInternal(virSecurity= ManagerPtr mgr, if (!disk_seclabel->relabel) return 0; =20 - ret =3D virSecuritySELinuxSetFilecon(mgr, src->path, disk_seclabel= ->label); + ret =3D virSecuritySELinuxSetFilecon(mgr, src->path, + disk_seclabel->label, true); } else if (parent_seclabel && (!parent_seclabel->relabel || parent_sec= label->label)) { if (!parent_seclabel->relabel) return 0; =20 - ret =3D virSecuritySELinuxSetFilecon(mgr, src->path, parent_seclab= el->label); + ret =3D virSecuritySELinuxSetFilecon(mgr, src->path, + parent_seclabel->label, true); } else if (!parent || parent =3D=3D src) { if (src->shared) { ret =3D virSecuritySELinuxSetFileconOptional(mgr, src->path, - data->file_context); + data->file_context, + true); } else if (src->readonly) { ret =3D virSecuritySELinuxSetFileconOptional(mgr, src->path, - data->content_conte= xt); + data->content_conte= xt, + true); } else if (secdef->imagelabel) { ret =3D virSecuritySELinuxSetFileconOptional(mgr, src->path, - secdef->imagelabel); + secdef->imagelabel, + true); } else { ret =3D 0; } } else { ret =3D virSecuritySELinuxSetFileconOptional(mgr, src->path, - data->content_context); + data->content_context, + true); } =20 if (ret =3D=3D 1 && !disk_seclabel) { @@ -1900,7 +1922,7 @@ virSecuritySELinuxSetHostdevLabelHelper(const char *f= ile, void *opaque) secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (secdef =3D=3D NULL) return 0; - return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel); + return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel, tru= e); } =20 static int @@ -1932,13 +1954,13 @@ virSecuritySELinuxSetSCSILabel(virSCSIDevicePtr dev, =20 if (virSCSIDeviceGetShareable(dev)) return virSecuritySELinuxSetFileconOptional(mgr, file, - data->file_context); + data->file_context, tr= ue); else if (virSCSIDeviceGetReadonly(dev)) return virSecuritySELinuxSetFileconOptional(mgr, file, - data->content_context); + data->content_context,= true); else return virSecuritySELinuxSetFileconOptional(mgr, file, - secdef->imagelabel); + secdef->imagelabel, tr= ue); } =20 static int @@ -2093,7 +2115,7 @@ virSecuritySELinuxSetHostdevCapsLabel(virSecurityMana= gerPtr mgr, if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0) return -1; } - ret =3D virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel= ); + ret =3D virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel= , true); VIR_FREE(path); break; } @@ -2107,7 +2129,7 @@ virSecuritySELinuxSetHostdevCapsLabel(virSecurityMana= gerPtr mgr, if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0) return -1; } - ret =3D virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel= ); + ret =3D virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel= , true); VIR_FREE(path); break; } @@ -2153,7 +2175,7 @@ virSecuritySELinuxRestorePCILabel(virPCIDevicePtr dev= ATTRIBUTE_UNUSED, { virSecurityManagerPtr mgr =3D opaque; =20 - return virSecuritySELinuxRestoreFileLabel(mgr, file, false); + return virSecuritySELinuxRestoreFileLabel(mgr, file, true); } =20 static int @@ -2163,7 +2185,7 @@ virSecuritySELinuxRestoreUSBLabel(virUSBDevicePtr dev= ATTRIBUTE_UNUSED, { virSecurityManagerPtr mgr =3D opaque; =20 - return virSecuritySELinuxRestoreFileLabel(mgr, file, false); + return virSecuritySELinuxRestoreFileLabel(mgr, file, true); } =20 =20 @@ -2180,7 +2202,7 @@ virSecuritySELinuxRestoreSCSILabel(virSCSIDevicePtr d= ev, if (virSCSIDeviceGetShareable(dev) || virSCSIDeviceGetReadonly(dev)) return 0; =20 - return virSecuritySELinuxRestoreFileLabel(mgr, file, false); + return virSecuritySELinuxRestoreFileLabel(mgr, file, true); } =20 static int @@ -2190,7 +2212,7 @@ virSecuritySELinuxRestoreHostLabel(virSCSIVHostDevice= Ptr dev ATTRIBUTE_UNUSED, { virSecurityManagerPtr mgr =3D opaque; =20 - return virSecuritySELinuxRestoreFileLabel(mgr, file, false); + return virSecuritySELinuxRestoreFileLabel(mgr, file, true); } =20 =20 @@ -2294,7 +2316,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecuri= tyManagerPtr mgr, if (!(vfiodev =3D virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuids= tr))) goto done; =20 - ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, false); + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, true); =20 VIR_FREE(vfiodev); break; @@ -2328,7 +2350,7 @@ virSecuritySELinuxRestoreHostdevCapsLabel(virSecurity= ManagerPtr mgr, if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0) return -1; } - ret =3D virSecuritySELinuxRestoreFileLabel(mgr, path, false); + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, path, true); VIR_FREE(path); break; } @@ -2342,7 +2364,7 @@ virSecuritySELinuxRestoreHostdevCapsLabel(virSecurity= ManagerPtr mgr, if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0) return -1; } - ret =3D virSecuritySELinuxRestoreFileLabel(mgr, path, false); + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, path, true); VIR_FREE(path); break; } @@ -2420,14 +2442,16 @@ virSecuritySELinuxSetChardevLabel(virSecurityManage= rPtr mgr, case VIR_DOMAIN_CHR_TYPE_FILE: ret =3D virSecuritySELinuxSetFilecon(mgr, dev_source->data.file.path, - imagelabel); + imagelabel, + true); break; =20 case VIR_DOMAIN_CHR_TYPE_UNIX: if (!dev_source->data.nix.listen) { if (virSecuritySELinuxSetFilecon(mgr, dev_source->data.nix.path, - imagelabel) < 0) + imagelabel, + true) < 0) goto done; } ret =3D 0; @@ -2438,13 +2462,14 @@ virSecuritySELinuxSetChardevLabel(virSecurityManage= rPtr mgr, (virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0)) goto done; if (virFileExists(in) && virFileExists(out)) { - if ((virSecuritySELinuxSetFilecon(mgr, in, imagelabel) < 0) || - (virSecuritySELinuxSetFilecon(mgr, out, imagelabel) < 0)) { + if ((virSecuritySELinuxSetFilecon(mgr, in, imagelabel, true) <= 0) || + (virSecuritySELinuxSetFilecon(mgr, out, imagelabel, true) = < 0)) { goto done; } } else if (virSecuritySELinuxSetFilecon(mgr, dev_source->data.file.path, - imagelabel) < 0) { + imagelabel, + true) < 0) { goto done; } ret =3D 0; @@ -2492,7 +2517,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityMana= gerPtr mgr, case VIR_DOMAIN_CHR_TYPE_FILE: if (virSecuritySELinuxRestoreFileLabel(mgr, dev_source->data.file.path, - false) < 0) + true) < 0) goto done; ret =3D 0; break; @@ -2501,7 +2526,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityMana= gerPtr mgr, if (!dev_source->data.nix.listen) { if (virSecuritySELinuxRestoreFileLabel(mgr, dev_source->data.file.p= ath, - false) < 0) + true) < 0) goto done; } ret =3D 0; @@ -2512,13 +2537,13 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityMa= nagerPtr mgr, (virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0)) goto done; if (virFileExists(in) && virFileExists(out)) { - if ((virSecuritySELinuxRestoreFileLabel(mgr, out, false) < 0) = || - (virSecuritySELinuxRestoreFileLabel(mgr, in, false) < 0)) { + if ((virSecuritySELinuxRestoreFileLabel(mgr, out, true) < 0) || + (virSecuritySELinuxRestoreFileLabel(mgr, in, true) < 0)) { goto done; } } else if (virSecuritySELinuxRestoreFileLabel(mgr, dev_source->data.fil= e.path, - false) < 0) { + true) < 0) { goto done; } ret =3D 0; @@ -2570,7 +2595,7 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(vi= rDomainDefPtr def, database =3D dev->data.cert.database; if (!database) database =3D VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE; - return virSecuritySELinuxRestoreFileLabel(mgr, database, false); + return virSecuritySELinuxRestoreFileLabel(mgr, database, true); =20 case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: return virSecuritySELinuxRestoreChardevLabel(mgr, def, @@ -2665,23 +2690,23 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManage= rPtr mgr, rc =3D -1; =20 if (def->os.loader && def->os.loader->nvram && - virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, fal= se) < 0) + virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, tru= e) < 0) rc =3D -1; =20 if (def->os.kernel && - virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, false) < 0) + virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, true) < 0) rc =3D -1; =20 if (def->os.initrd && - virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, false) < 0) + virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, true) < 0) rc =3D -1; =20 if (def->os.dtb && - virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, false) < 0) + virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, true) < 0) rc =3D -1; =20 if (def->os.slic_table && - virSecuritySELinuxRestoreFileLabel(mgr, def->os.slic_table, false)= < 0) + virSecuritySELinuxRestoreFileLabel(mgr, def->os.slic_table, true) = < 0) rc =3D -1; =20 return rc; @@ -2726,7 +2751,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManag= erPtr mgr, if (!secdef || !secdef->relabel) return 0; =20 - return virSecuritySELinuxSetFilecon(mgr, savefile, secdef->imagelabel); + return virSecuritySELinuxSetFilecon(mgr, savefile, secdef->imagelabel,= true); } =20 =20 @@ -2741,7 +2766,7 @@ virSecuritySELinuxRestoreSavedStateLabel(virSecurityM= anagerPtr mgr, if (!secdef || !secdef->relabel) return 0; =20 - return virSecuritySELinuxRestoreFileLabel(mgr, savefile, false); + return virSecuritySELinuxRestoreFileLabel(mgr, savefile, true); } =20 =20 @@ -2984,7 +3009,7 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDom= ainDefPtr def, database =3D dev->data.cert.database; if (!database) database =3D VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE; - return virSecuritySELinuxSetFilecon(mgr, database, data->content_c= ontext); + return virSecuritySELinuxSetFilecon(mgr, database, data->content_c= ontext, true); =20 case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: return virSecuritySELinuxSetChardevLabel(mgr, def, @@ -3075,32 +3100,32 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr= mgr, if (def->os.loader && def->os.loader->nvram && secdef && secdef->imagelabel && virSecuritySELinuxSetFilecon(mgr, def->os.loader->nvram, - secdef->imagelabel) < 0) + secdef->imagelabel, true) < 0) return -1; =20 if (def->os.kernel && virSecuritySELinuxSetFilecon(mgr, def->os.kernel, - data->content_context) < 0) + data->content_context, true) < 0) return -1; =20 if (def->os.initrd && virSecuritySELinuxSetFilecon(mgr, def->os.initrd, - data->content_context) < 0) + data->content_context, true) < 0) return -1; =20 if (def->os.dtb && virSecuritySELinuxSetFilecon(mgr, def->os.dtb, - data->content_context) < 0) + data->content_context, true) < 0) return -1; =20 if (def->os.slic_table && virSecuritySELinuxSetFilecon(mgr, def->os.slic_table, - data->content_context) < 0) + data->content_context, true) < 0) return -1; =20 if (stdin_path && virSecuritySELinuxSetFilecon(mgr, stdin_path, - data->content_context) < 0) + data->content_context, true) < 0) return -1; =20 return 0; @@ -3259,7 +3284,7 @@ virSecuritySELinuxDomainSetPathLabel(virSecurityManag= erPtr mgr, if (!seclabel || !seclabel->relabel) return 0; =20 - return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel); + return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel, t= rue); } =20 =20 @@ -3284,7 +3309,7 @@ virSecuritySELinuxSetFileLabels(virSecurityManagerPtr= mgr, char *filename =3D NULL; DIR *dir; =20 - if ((ret =3D virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagela= bel))) + if ((ret =3D virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagela= bel, true))) return ret; =20 if (!virFileIsDir(path)) @@ -3299,7 +3324,7 @@ virSecuritySELinuxSetFileLabels(virSecurityManagerPtr= mgr, break; } ret =3D virSecuritySELinuxSetFilecon(mgr, filename, - seclabel->imagelabel); + seclabel->imagelabel, true); VIR_FREE(filename); if (ret < 0) break; @@ -3333,7 +3358,7 @@ virSecuritySELinuxRestoreFileLabels(virSecurityManage= rPtr mgr, char *filename =3D NULL; DIR *dir; =20 - if ((ret =3D virSecuritySELinuxRestoreFileLabel(mgr, path, false))) + if ((ret =3D virSecuritySELinuxRestoreFileLabel(mgr, path, true))) return ret; =20 if (!virFileIsDir(path)) @@ -3347,7 +3372,7 @@ virSecuritySELinuxRestoreFileLabels(virSecurityManage= rPtr mgr, ret =3D -1; break; } - ret =3D virSecuritySELinuxRestoreFileLabel(mgr, filename, false); + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, filename, true); VIR_FREE(filename); if (ret < 0) break; --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list