From nobody Sun Feb  8 05:08:34 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1508510497033189.8591005580738;
 Fri, 20 Oct 2017 07:41:37 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id C8A40CD17D;
	Fri, 20 Oct 2017 13:49:04 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 9F9225D762;
	Fri, 20 Oct 2017 13:49:04 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 66A71410B5;
	Fri, 20 Oct 2017 13:49:04 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v9KDm68G020326 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 20 Oct 2017 09:48:06 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 519355EDF1; Fri, 20 Oct 2017 13:48:05 +0000 (UTC)
Received: from angien.brq.redhat.com (unknown [10.43.2.136])
	by smtp.corp.redhat.com (Postfix) with ESMTP id A1DC05EDE1;
	Fri, 20 Oct 2017 13:48:04 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com C8A40CD17D
Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com;
 spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com
From: Peter Krempa <pkrempa@redhat.com>
To: libvir-list@redhat.com
Date: Fri, 20 Oct 2017 15:47:31 +0200
Message-Id: 
 <ab4a88e972454cfd5e99cb1cc3ea64eff0900aae.1508507145.git.pkrempa@redhat.com>
In-Reply-To: <cover.1508507145.git.pkrempa@redhat.com>
References: <cover.1508507145.git.pkrempa@redhat.com>
In-Reply-To: <cover.1508507145.git.pkrempa@redhat.com>
References: <cover.1508507145.git.pkrempa@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
Cc: Peter Krempa <pkrempa@redhat.com>
Subject: [libvirt] [PATCH 06/12] security: selinux: Take parent security
	label into account
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]);
 Fri, 20 Oct 2017 13:49:05 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Until now we ignored user-provided backing chains and while detecting
the code inherited labels of the parent device. With user provided
chains we should keep this functionality, so label of the parent image
in the backing chain will be applied if an image-specific label is not
present.
Reviewed-by: John Ferlan <jferlan@redhat.com>
---
 src/security/security_selinux.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinu=
x.c
index 66b3bbf1c..ed1828a12 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1597,6 +1597,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityMa=
nagerPtr mgr,
     virSecuritySELinuxDataPtr data =3D virSecurityManagerGetPrivateData(mg=
r);
     virSecurityLabelDefPtr secdef;
     virSecurityDeviceLabelDefPtr disk_seclabel;
+    virSecurityDeviceLabelDefPtr parent_seclabel =3D NULL;
     int ret;

     if (!src->path || !virStorageSourceIsLocalStorage(src))
@@ -1608,12 +1609,20 @@ virSecuritySELinuxSetImageLabelInternal(virSecurity=
ManagerPtr mgr,

     disk_seclabel =3D virStorageSourceGetSecurityLabelDef(src,
                                                         SECURITY_SELINUX_N=
AME);
+    if (parent)
+        parent_seclabel =3D virStorageSourceGetSecurityLabelDef(parent,
+                                                              SECURITY_SEL=
INUX_NAME);

-    if (disk_seclabel && !disk_seclabel->relabel)
-        return 0;
+    if (disk_seclabel && (!disk_seclabel->relabel || disk_seclabel->label)=
) {
+        if (!disk_seclabel->relabel)
+            return 0;

-    if (disk_seclabel && disk_seclabel->relabel && disk_seclabel->label) {
         ret =3D virSecuritySELinuxSetFilecon(mgr, src->path, disk_seclabel=
->label);
+    } else if (parent_seclabel && (!parent_seclabel->relabel || parent_sec=
label->label)) {
+        if (!parent_seclabel->relabel)
+            return 0;
+
+        ret =3D virSecuritySELinuxSetFilecon(mgr, src->path, parent_seclab=
el->label);
     } else if (!parent || parent =3D=3D src) {
         if (src->shared) {
             ret =3D virSecuritySELinuxSetFileconOptional(mgr,
--=20
2.14.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list