This is an ad-hoc fix for the file label generation. It uses the base context role to determine whether to use the libvirt process context role. If this is object_r we don't touch it. It might be better to add a new flag to virSecuritySELinuxGenNewContext that specifies the context type (process or file) in the future. Signed-off-by: Viktor Mihajlovski <mihajlov@xxxxxxxxxxxxxxxxxx> --- src/security/security_selinux.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 48fd78b..34b9aad 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -176,7 +176,9 @@ virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs) goto cleanup; } - if (context_role_set(context, + /* don't exchange role context if object_r as this is a file context */ + if (strcmp("object_r", context_role_get(context)) && + context_role_set(context, context_role_get(ourContext)) != 0) { virReportSystemError(errno, _("Unable to set SELinux context user '%s'"), -- 1.7.0.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list