If swtpm binary fails to start after successful exec() (e.g. it fails to initialize itself), the seclabels set in qemuSecurityStartTPMEmulator() are not restored. This is due to lacking qemuSecurityRestoreTPMLabels() call in the error path. Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> --- src/qemu/qemu_tpm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 200ff0de6f..03055002cb 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -927,6 +927,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver, virTimeBackOffVar timebackoff; const unsigned long long timeout = 1000; /* ms */ bool setTPMStateLabel = true; + bool teardownlabel = false; int cmdret = 0; pid_t pid = -1; @@ -970,6 +971,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver, * already reported error. */ goto error; } + teardownlabel = true; if (virPidFileReadPath(pidfile, &pid) < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", @@ -1012,6 +1014,8 @@ qemuTPMEmulatorStart(virQEMUDriver *driver, virProcessKillPainfully(pid, true); if (pidfile) unlink(pidfile); + if (teardownlabel) + qemuSecurityRestoreTPMLabels(driver, vm, setTPMStateLabel); return -1; } -- 2.38.2