qemu_namespace: Only replicate labels on created files

Function qemuNamespaceMknodOne() is trying to replicate a file from the
parent namespace as perfectly as possible, with the same permissions,
labels, ACLs, etc.

If that file already existed it means that the qemu process is probably
using it already and the current setting is probably more correct than
the ones from the parent namespace.

In order to reflect that only replicate the file metadata when it was
(re-)created in this function.

Resolves: https://issues.redhat.com/browse/RHEL-62174
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>

diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index 33a773917373fa9254ccb07a8dd50214d3c2f945..5d9385afd672b713bc0abbd61daf77f96cd18190 100644 (file)
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -1090,43 +1090,45 @@ qemuNamespaceMknodOne(qemuNamespaceMknodItem *data)
         goto cleanup;
     }
 
-    if (lchown(data->file, data->sb.st_uid, data->sb.st_gid) < 0) {
-        virReportSystemError(errno,
-                             _("Failed to chown device %1$s"),
-                             data->file);
-        goto cleanup;
-    }
-
-    /* Symlinks don't have mode */
-    if (!isLink &&
-        chmod(data->file, data->sb.st_mode) < 0) {
-        virReportSystemError(errno,
-                             _("Failed to set permissions for device %1$s"),
-                             data->file);
-        goto cleanup;
-    }
-
-    if (data->acl &&
-        virFileSetACLs(data->file, data->acl) < 0 &&
-        errno != ENOTSUP) {
-        virReportSystemError(errno,
-                             _("Unable to set ACLs on %1$s"), data->file);
-        goto cleanup;
-    }
+    if (!existed) {
+        if (lchown(data->file, data->sb.st_uid, data->sb.st_gid) < 0) {
+            virReportSystemError(errno,
+                                 _("Failed to chown device %1$s"),
+                                 data->file);
+            goto cleanup;
+        }
 
-# ifdef WITH_SELINUX
-    if (data->tcon &&
-        lsetfilecon_raw(data->file, (const char *)data->tcon) < 0) {
-        VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR
-        if (errno != EOPNOTSUPP && errno != ENOTSUP) {
-        VIR_WARNINGS_RESET
+        /* Symlinks don't have mode */
+        if (!isLink &&
+            chmod(data->file, data->sb.st_mode) < 0) {
             virReportSystemError(errno,
-                                 _("Unable to set SELinux label on %1$s"),
+                                 _("Failed to set permissions for device %1$s"),
                                  data->file);
             goto cleanup;
         }
-    }
+
+        if (data->acl &&
+            virFileSetACLs(data->file, data->acl) < 0 &&
+            errno != ENOTSUP) {
+            virReportSystemError(errno,
+                                 _("Unable to set ACLs on %1$s"), data->file);
+            goto cleanup;
+        }
+
+# ifdef WITH_SELINUX
+        if (data->tcon &&
+            lsetfilecon_raw(data->file, (const char *)data->tcon) < 0) {
+            VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR
+            if (errno != EOPNOTSUPP && errno != ENOTSUP) {
+            VIR_WARNINGS_RESET
+                virReportSystemError(errno,
+                                     _("Unable to set SELinux label on %1$s"),
+                                     data->file);
+                goto cleanup;
+            }
+        }
 # endif
+    }
 
     /* Finish mount process started earlier. */
     if ((isReg || isDir) &&