security: selinux: Label externalDataStore

We mirror the labeling strategy that was used for its top image

Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 5f7c2cdb5c30fe057a47f262af0081159f314db6..6e6b758497b70e72e5f786aef13686e0145da2d7 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1846,7 +1846,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
     virSecurityDeviceLabelDefPtr parent_seclabel = NULL;
     char *use_label = NULL;
     bool remember;
-    bool is_toplevel = parent == src;
+    bool is_toplevel = parent == src || parent->externalDataStore == src;
     int ret;
 
     if (!src->path || !virStorageSourceIsLocalStorage(src))
@@ -1933,6 +1933,14 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityManagerPtr mgr,
         if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent) < 0)
             return -1;
 
+        if (n->externalDataStore &&
+            virSecuritySELinuxSetImageLabelRelative(mgr,
+                                                    def,
+                                                    n->externalDataStore,
+                                                    parent,
+                                                    flags) < 0)
+            return -1;
+
         if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
             break;
     }