On Fri, Apr 03, 2020 at 05:58:03PM +0200, Michal Privoznik wrote: > As explained in the previous commit, we need to relabel the file > we are restoring the domain from. That is the FD that is passed > to QEMU. If the file is not under /dev then the file inside the > namespace is the very same as the one in the host. And regardless > of using transactions, the file will be relabeled. But, if the > file is under /dev then when using transactions only the copy > inside the namespace is relabeled and the one in the host is not. > But QEMU is reading from the one in the host, actually. > > Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1772838 > > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > --- ... > > /* > * virSecuritySELinuxSetFileLabels: > @@ -3596,6 +3606,7 @@ virSecurityDriver virSecurityDriverSELinux = { > .getBaseLabel = virSecuritySELinuxGetBaseLabel, > > .domainSetPathLabel = virSecuritySELinuxDomainSetPathLabel, > + .domainSetIncomingPathLabel = virSecuritySELinuxDomainSetIncomingPathLabel, "HostPath" would IMO feel better than "IncomingPath" in this patch as well. Reviewed-by: Erik Skultety <eskultet@xxxxxxxxxx>
