At the beginning of virSecuritySELinuxSetImageLabelInternal() there's a check that allows the function return early. In previous patch the check was extended to not return early for NVMe disks. However, there's no such check in other drivers (DAC, AppArmor). Therefore, move the check a couple of line down so that the resulting code is at least somewhat similar to the rest of secdrivers. Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> --- src/security/security_selinux.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index a296cb7613..26c6b281cc 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1818,13 +1818,6 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr, const char *path = src->path; int ret; - /* Special case NVMe. Per virStorageSourceIsLocalStorage() it's - * considered not local, but we still want the code below to set - * label on VFIO group. */ - if (src->type != VIR_STORAGE_TYPE_NVME && - (!src->path || !virStorageSourceIsLocalStorage(src))) - return 0; - secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (!secdef || !secdef->relabel) return 0; @@ -1882,6 +1875,8 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr, return -1; path = vfioGroupDev; + } else if (!path || !virStorageSourceIsLocalStorage(src)) { + return 0; } ret = virSecuritySELinuxSetFilecon(mgr, path, use_label, remember); -- 2.35.1