On 9/20/21 5:57 PM, Ján Tomko wrote: > On a Monday in 2021, Michal Privoznik wrote: >> In selinux driver there's virSecuritySELinuxSetFileconImpl() >> which is responsible for actual setting of SELinux label on given >> file and handling possible failures. In fhe failure handling code >> we decide whether failure is fatal or not. But there is a bug: >> depending on SELinux mode (Permissive vs. Enforcing) the ENOENT >> is either ignored or considered fatal. > >> This not correct - ENOENT >> must always be fatal - QEMU will fail opening it anyways. >> >> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004850 > > It won't get as far as trying to start QEMU. The error message in the > linked bug: > error: unable to stat: /var/lib/libvirt/images/slic.dat: No such file > or directory > comes from the DAC driver. Correct. I should have rephrased that. > > IIUC in virSecurityStackTransactionCommit we happily commit the SELinux > changes, fail to commit the DAC changes, but the rollback calling > virSecurityManagerTransactionAbort does nothing. Indeed. > > And since qemuSecuritySetAllLabel does not complete successfully, > qemuProcessLaunch > does not ask its callers to restore the labels. Yes. Michal
