[PATCH v6 08/13] virSecuritySELinuxRestoreImageLabelInt: Move FD image relabeling after 'migrated' check

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Peter Krempa <pkrempa@xxxxxxxxxx>

Reorganize the code so that the 'migrated' flag isn't checked multiple
times and thus that it's more obvious what is happening when the
'migrated' flag is asserted.

Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx>
Reviewed-by: Andrea Bolognani <abologna@xxxxxxxxxx>
Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
---
 src/security/security_selinux.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index bfa48a5f72..453ac67d25 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1819,26 +1819,15 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManager *mgr,
     if (src->readonly || src->shared)
         return 0;
 
-    if (virStorageSourceIsFD(src)) {
-        if (migrated)
-            return 0;
-
-        if (!src->fdtuple ||
-            !src->fdtuple->selinuxLabel ||
-            src->fdtuple->nfds == 0)
-            return 0;
-
-        ignore_value(virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0],
-                                                   src->fdtuple->selinuxLabel));
-        return 0;
-    }
-
     /* If we have a shared FS and are doing migration, we must not change
      * ownership, because that kills access on the destination host which is
      * sub-optimal for the guest VM's I/O attempts :-) */
     if (migrated) {
         int rc = 1;
 
+        if (virStorageSourceIsFD(src))
+            return 0;
+
         if (virStorageSourceIsLocalStorage(src)) {
             if (!src->path)
                 return 0;
@@ -1854,6 +1843,17 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManager *mgr,
         }
     }
 
+    if (virStorageSourceIsFD(src)) {
+        if (!src->fdtuple ||
+            !src->fdtuple->selinuxLabel ||
+            src->fdtuple->nfds == 0)
+            return 0;
+
+        ignore_value(virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0],
+                                                   src->fdtuple->selinuxLabel));
+        return 0;
+    }
+
     /* This is not very clean. But so far we don't have NVMe
      * storage pool backend so that its chownCallback would be
      * called. And this place looks least offensive. */
-- 
2.46.0




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux