selinux: skip fallback label restore for shared media

[PATCH 2/4] selinux: Don't remember labels for shareable SCSI devices

Posted by Cole Robinson via Devel 1 week, 2 days ago

For shareable/readonly devices, label restore is skipped entirely in
virSecuritySELinuxRestoreSCSILabel. So requesting remember=true here
doesn't accomplish anything

Signed-off-by: Cole Robinson <crobinso@redhat.com>
---
 src/security/security_selinux.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 19e550460c..3a91ea46d3 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2171,10 +2171,10 @@ virSecuritySELinuxSetSCSILabel(virSCSIDevice *dev,
 
     if (virSCSIDeviceGetShareable(dev))
         return virSecuritySELinuxSetFilecon(mgr, file,
-                                            data->file_context, true);
+                                            data->file_context, false);
     else if (virSCSIDeviceGetReadonly(dev))
         return virSecuritySELinuxSetFilecon(mgr, file,
-                                            data->content_context, true);
+                                            data->content_context, false);
     else
         return virSecuritySELinuxSetFilecon(mgr, file,
                                             secdef->imagelabel, true);
-- 
2.51.1

[PATCH 1/4] selinux: Match remember/recall arguments for SavedStateLabel
[PATCH 2/4] selinux: Don't remember labels for shareable SCSI devices
[PATCH 3/4] selinux: Add is_shared plumbing to RestoreFileLabel
[PATCH 4/4] selinux: Mark anything using content_context as shared