On 11/11/25 18:39, Cole Robinson via Devel wrote:
> https://issues.redhat.com/browse/RHEL-126945
>
> selinux label set/restore has race conditions on qemu:///session,
> where the xattr label remembering path is not used. See the above issue
> for a more detailed description of the problem.
>
> This series dodges the issue by skipping the fallback label
> restore for readonly resources like kernel and initrd, basically
> anything that would get the virt_content_t label.
>
>
> Note, disks already skip _all_ attempts to remember or restore
> selinux labels if the disk is marked readonly or shareable, and has
> done so for a long time. Maybe we should extend that out for anything
> that is inherently readonly or shareable, like kernel + initrd.
> But for now I stuck with the more conservative approach.
>
> And finally, this doesn't actually fix the race condition. If
> label remembering is working, the refcounting covers us. But if you
> disable label remembering at the qemu.conf level, there's likely
> similar issues in the DAC driver even for qemu:///system. I did
> not look into fixing the race but I suspect it involves keeping the
> security driver locked until the VM fully boots up.
>
> First two patches are not strictly related, but I noticed them
> while I was in the area
> Patch 3 adds the plumbing but no behavior change
> Patch 4 changes behavior
>
> Cole Robinson (4):
> selinux: Match remember/recall arguments for SavedStateLabel
> selinux: Don't remember labels for shareable SCSI devices
> selinux: Add is_shared plumbing to RestoreFileLabel
> selinux: Mark anything using content_context as shared
>
> src/security/security_selinux.c | 107 +++++++++++++++++++-------------
> 1 file changed, 63 insertions(+), 44 deletions(-)
>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Michal