From nobody Sun Feb  8 14:07:31 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1632137500; cv=none;
	d=zohomail.com; s=zohoarc;
	b=JoQX+8q9gFPJsRlU8HXHe4Asb8tVV55JsvKqx9STWWuP2q2qGIi5MT0iXVXth0SRrxTt2Q5csiSrNx+KeXkRDG79QgoF87hJF2i5q6GKaNImzDWGHvgb9HqeSXeUJ9FbGqJ1HS2FnM3b6eqxc7U6E8RKpzO/XQN7SwYcFen6Xpw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1632137500;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=F96IkVwBROPafnwqp5WRbDFiXGxKm5BGbQTrds4rCbM=;
	b=FftRwrlNtgDdoMjtSwAjWN0eZLcCYt4NFCuN+C8qCqScuYDEoLJ1aMKU5We2IoMyVoYFiwOoSGHvUTWrQ41ja50Q75rswr5SO4CRBgnsKI2Uq38aR00upU3PZryUx/53Zx+BBxjvmwRl/9nDyVOc2CX/EKREKkLS49KDvKVwUXQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1632137500267243.8229312613039;
 Mon, 20 Sep 2021 04:31:40 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-2-WCFxkD5JO7GHP2-udu4FOA-1; Mon, 20 Sep 2021 07:31:37 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8A20C19253CA;
	Mon, 20 Sep 2021 11:31:32 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 670155D9DC;
	Mon, 20 Sep 2021 11:31:32 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3689A1805986;
	Mon, 20 Sep 2021 11:31:31 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
	[10.5.11.11])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 18KBVTXX027951 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 20 Sep 2021 07:31:29 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 35DE219E7E; Mon, 20 Sep 2021 11:31:29 +0000 (UTC)
Received: from localhost.localdomain (unknown [10.40.192.21])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 20A081346F
	for <libvir-list@redhat.com>; Mon, 20 Sep 2021 11:31:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1632137499;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=F96IkVwBROPafnwqp5WRbDFiXGxKm5BGbQTrds4rCbM=;
	b=KW1mlMWmAGuXLKxarpUMJdGwS6NiJOQaAV8GVdZpfrMUEUA5EGT7sUAgnVxZxSnbcsd5zK
	/ga1KVQcA/ZMKK8rfghSfWrc1oQAT7EmpyNIiIeaxsYqMy2PJWzpeNEy8cRAMTMWbrqeDt
	mcbIDX3Wag93ft5kF+ETHUwzhCfnJzg=
X-MC-Unique: WCFxkD5JO7GHP2-udu4FOA-1
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 2/2] selinux: Don't ignore ENOENT in Permissive mode
Date: Mon, 20 Sep 2021 13:31:19 +0200
Message-Id: 
 <655f853baabfb87e64f313c445ed39cd55861b78.1632137458.git.mprivozn@redhat.com>
In-Reply-To: <cover.1632137458.git.mprivozn@redhat.com>
References: <cover.1632137458.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1632138402744100001
Content-Type: text/plain; charset="utf-8"

In selinux driver there's virSecuritySELinuxSetFileconImpl()
which is responsible for actual setting of SELinux label on given
file and handling possible failures. In fhe failure handling code
we decide whether failure is fatal or not. But there is a bug:
depending on SELinux mode (Permissive vs. Enforcing) the ENOENT
is either ignored or considered fatal. This not correct - ENOENT
must always be fatal - QEMU will fail opening it anyways.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D2004850
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/security_selinux.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinu=
x.c
index 050acee2b0..7e8c4fb4f2 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1283,9 +1283,11 @@ virSecuritySELinuxSetFileconImpl(const char *path,
         } else {
             /* However, don't claim error if SELinux is in Enforcing mode =
and
              * we are running as unprivileged user and we really did see E=
PERM.
-             * Otherwise we want to return error if SELinux is Enforcing. =
*/
-            if (security_getenforce() =3D=3D 1 &&
-                (setfilecon_errno !=3D EPERM || privileged)) {
+             * Otherwise we want to return error if SELinux is Enforcing, =
or we
+             * saw EPERM regardless of SELinux mode. */
+            if (setfilecon_errno =3D=3D ENOENT ||
+                (security_getenforce() =3D=3D 1 &&
+                 (setfilecon_errno !=3D EPERM || privileged))) {
                 virReportSystemError(setfilecon_errno,
                                      _("unable to set security context '%s=
' on '%s'"),
                                      tcon, path);
--=20
2.32.0