In a few cases we might set seclabels on a path outside of namespaces. For instance, when restoring a domain from a file, the file is opened, relabelled and only then the namespace is created and the FD is passed to QEMU (see v6.3.0-rc1~108 for more info). Therefore, when restoring the label on the restore file, we must ignore domain namespaces and restore the label directly in the host. This bug demonstrates itself when restoring a domain from a block device. We don't create the block device inside the domain namespace and thus the following error is reported at the end of (otherwise successful) restore: error : virProcessRunInFork:1236 : internal error: child reported (status=125): unable to stat: /dev/sda: No such file or directory error : virProcessRunInFork:1240 : unable to stat: /dev/sda: No such file or directory Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> --- src/qemu/qemu_driver.c | 2 +- src/qemu/qemu_security.c | 6 ++++-- src/qemu/qemu_security.h | 3 ++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 80648f1d32..4f62b5c838 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -6953,7 +6953,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, qemuProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_FAILED, asyncJob, VIR_QEMU_PROCESS_STOP_MIGRATED); } - if (qemuSecurityDomainRestorePathLabel(driver, vm, path) < 0) + if (qemuSecurityDomainRestorePathLabel(driver, vm, path, true) < 0) VIR_WARN("failed to restore save state label on %s", path); return ret; } diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c index 98f973ab12..f49c0890f2 100644 --- a/src/qemu/qemu_security.c +++ b/src/qemu/qemu_security.c @@ -617,13 +617,15 @@ qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver, int qemuSecurityDomainRestorePathLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, - const char *path) + const char *path, + bool ignoreNS) { qemuDomainObjPrivatePtr priv = vm->privateData; pid_t pid = -1; int ret = -1; - if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) + if (!ignoreNS && + qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; if (virSecurityManagerTransactionStart(driver->securityManager) < 0) diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h index ed6b762662..df34820af8 100644 --- a/src/qemu/qemu_security.h +++ b/src/qemu/qemu_security.h @@ -103,7 +103,8 @@ int qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver, int qemuSecurityDomainRestorePathLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, - const char *path); + const char *path, + bool ignoreNS); int qemuSecurityCommandRun(virQEMUDriverPtr driver, virDomainObjPtr vm, -- 2.26.2