On Wed, Dec 09, 2020 at 11:26:52AM +0100, Michal Privoznik wrote: > Some secdrivers (typically SELinux driver) generate unique > dynamic seclabel for each domain (unless a static one is > requested in domain XML). This is achieved by calling > qemuSecurityGenLabel() from qemuProcessPrepareDomain() which > allocates unique seclabel and stores it in domain def->seclabels. > The counterpart is qemuSecurityReleaseLabel() which releases the > label and removes it from def->seclabels. Problem is, that with > current code the qemuProcessStop() may still want to use the > seclabel after it was released, e.g. when it wants to restore the > label of a disk mirror. > > What is happening now, is that in qemuProcessStop() the > qemuSecurityReleaseLabel() is called, which removes the SELinux > seclabel from def->seclabels, yada yada yada and eventually > qemuSecurityRestoreImageLabel() is called. This bubbles down to > virSecuritySELinuxRestoreImageLabelSingle() which find no SELinux > seclabel (using virDomainDefGetSecurityLabelDef()) and this > returns early doing nothing. > > Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1751664 > Fixes: 8fa0374c5b8e834fcbdeae674cc6cc9e6bf9019f > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > --- > src/qemu/qemu_process.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
