Commit dbf1f68410 ("security: do not remember/recall labels for VFIO") rightly changed the DAC and SELinux labeling parameters to fix a problem with "VFIO hostdevs" but really only addressed the PCI codepaths. As a result, we can still encounter this with VFIO MDEVs such as vfio-ccw and vfio-ap, which can fail on a hotplug: [test@host ~]# mdevctl stop -u 11f2d2bc-4083-431d-a023-eff72715c4f0 [test@host ~]# mdevctl start -u 11f2d2bc-4083-431d-a023-eff72715c4f0 [test@host ~]# cat disk.xml <hostdev mode='subsystem' type='mdev' model='vfio-ccw'> <source> <address uuid='11f2d2bc-4083-431d-a023-eff72715c4f0'/> </source> <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x3c51'/> </hostdev> [test@host ~]# virsh attach-device guest ~/disk.xml error: Failed to attach device from /home/test/disk.xml error: Requested operation is not valid: Setting different SELinux label on /dev/vfio/3 which is already in use Make the same changes as reported in commit dbf1f68410, for the mdev paths. Reported-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxx> Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxx> --- src/security/security_dac.c | 4 ++-- src/security/security_selinux.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 9be8f458d1..bceb6a5c24 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1310,7 +1310,7 @@ virSecurityDACSetHostdevLabel(virSecurityManager *mgr, if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr))) return -1; - ret = virSecurityDACSetHostdevLabelHelper(vfiodev, true, &cbdata); + ret = virSecurityDACSetHostdevLabelHelper(vfiodev, false, &cbdata); break; } @@ -1466,7 +1466,7 @@ virSecurityDACRestoreHostdevLabel(virSecurityManager *mgr, if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr))) return -1; - ret = virSecurityDACRestoreFileLabel(mgr, vfiodev); + ret = virSecurityDACRestoreFileLabelInternal(mgr, NULL, vfiodev, false); break; } diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index e43962435f..9c23735aa3 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2217,7 +2217,7 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManager *mgr, if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr))) return ret; - ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, true, &data); + ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, false, &data); break; } @@ -2445,7 +2445,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManager *mgr, if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr))) return -1; - ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, true); + ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, false); break; } -- 2.37.2