selinux: Mark anything using content_context as shared

This marks kernel, initrd, dtb, and similar elements with is_shared,
meaning we skip label restore if xattr label remembering is not
enabled or supported (like on qemu:///session).

non-xattr based label restore is subject to race conditions if
multiple VMs are starting and stopping using shared media:
https://issues.redhat.com/browse/RHEL-126945

This converts every case that is using content_context (virt_content_t)
as SetFileLabel time, which is how we are marking content as
readonly. All the shareable cases (marked with file_context) are
already skipping remembering/label restore entirely.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 898f253256ba6b79c710746bcc5940b64beeda5f..2f3cc274a5d901dc82d73107b2c7b3e945cf2346 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2841,7 +2841,7 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDef *def,
         database = dev->data.cert.database;
         if (!database)
             database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
-        return virSecuritySELinuxRestoreFileLabel(mgr, database, true, false);
+        return virSecuritySELinuxRestoreFileLabel(mgr, database, true, true);
 
     case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
         return virSecuritySELinuxRestoreChardevLabel(mgr, def,
@@ -2878,7 +2878,7 @@ virSecuritySELinuxRestoreSysinfoLabel(virSecurityManager *mgr,
         virSysinfoFWCfgDef *f = &def->fw_cfgs[i];
 
         if (f->file &&
-            virSecuritySELinuxRestoreFileLabel(mgr, f->file, true, false) < 0)
+            virSecuritySELinuxRestoreFileLabel(mgr, f->file, true, true) < 0)
             return -1;
     }
 
@@ -2974,23 +2974,23 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
     }
 
     if (def->os.kernel &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, true, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, true, true) < 0)
         rc = -1;
 
     if (def->os.initrd &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, true, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, true, true) < 0)
         rc = -1;
 
     if (def->os.shim &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.shim, true, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.shim, true, true) < 0)
         rc = -1;
 
     if (def->os.dtb &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, true, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, true, true) < 0)
         rc = -1;
 
     for (i = 0; i < def->os.nacpiTables; i++) {
-        if (virSecuritySELinuxRestoreFileLabel(mgr, def->os.acpiTables[i]->path, true, false) < 0)
+        if (virSecuritySELinuxRestoreFileLabel(mgr, def->os.acpiTables[i]->path, true, true) < 0)
             rc = -1;
     }