The seclabel for @stdin_path in virSecuritySELinuxSetAllLabel() is not restored, because at virSecuritySELinuxRestoreAllLabel() phase it's too late and the caller (QEMU driver) simply doesn't care. Well, don't remember the label and let the perms leak. Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> --- src/security/security_selinux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 8aeb6e45a5..f47bfbdba9 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -3233,7 +3233,7 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr, if (stdin_path && virSecuritySELinuxSetFilecon(mgr, stdin_path, - data->content_context, true) < 0) + data->content_context, false) < 0) return -1; return 0; -- 2.24.1