On Wed, Nov 20, 2024 at 18:48:44 +0300, Nikolai Barybin via Devel wrote: > Signed-off-by: Nikolai Barybin <nikolai.barybin@xxxxxxxxxxxxx> > --- > src/security/security_selinux.c | 27 +++++++++++++++++++++++++-- > 1 file changed, 25 insertions(+), 2 deletions(-) [...] > @@ -2067,6 +2075,14 @@ virSecuritySELinuxSetImageLabel(virSecurityManager *mgr, > isChainTop) < 0) > return -1; > > + /* Unlike backing images, data files are not designed to be shared by > + * anyone. Thus, we always consider them as chain top. */ > + if (n->dataFileStore && > + virSecuritySELinuxSetImageLabelInternal(mgr, sharedFilesystems, > + def, n->dataFileStore, parent, > + true) < 0) Inside this function there's code which picks which label gets applied, the code applies RW labels if the active element is equal to 'parent'. This needs to be extended to also consider 'parent->dataFileStore' so that the data-file images are labelled RW.
