Changes from V1: 1) Don't set context label of kernel *or* image file, set the context label of both. 2) Add a patch to enhance virStorageFileIsSharedFS to behave similarly to the ill-fated virFileIsOnNetworkShare. 3) Use virStorageFileIsSharedFS instead of virStorageFileIsSharedFS. Prior to this patch series, restoring a domain with selinux set to enforcing would fail, because the function that sets the label on the file to allow qemu to read it did not have the name of the file (see the comments in the individual patches). A patch from Jamie Stranboge (2b57478ef0a0a983cc6a47b98300c8359f9708d0) added the filename to the args passed down into the security driver; the first patch of this series takes advantage of that to properly set the label. Patches 2 - 4 solve a problem with restoring a domain from an NFS share - in this case the selinux functions will fail (as will functions trying to set the uid of the file, if it is a root-squashed share). The solution to this is just ignore the failure. If the security driver fails to set the label, and virStorageFileIsSharedFS() tells us that the file is on a network-shared FS, we ignore the failure, otherwise we behave as before. qemudDomainSaveFlag previously had a bit of code that detected if a particular path was on an NFS share; this code was replaced with a call to virStorageFileIsSharedFS, which is now functionally equivalent (better, even, since it detects a few other types of network filesystems). -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list