From: Laine Stump <laine@redhat.com>
Date: Wed, 1 Mar 2023 20:58:24 +0000 (-0500)
Subject: qemu: set SELinux label of passt process to its own binary's label
X-Git-Tag: v9.2.0-rc1~102
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8419dd3b69cfada783a2e6df315e45dd294b0d18;p=thirdparty%2Flibvirt.git

qemu: set SELinux label of passt process to its own binary's label

set useBinarySpecificLabel = true when calling qemuSecurityCommandRun
for the passt process, so that the new process context will include
the binary-specific label that should be used for passt (passt_t)
rather than svirt_t (as would happen if useBinarySpecificLabel was
false). (The MCS part of the label, which is common to all child
processes related to a particular qemu domain instance, is also set).

Resolves: https://bugzilla.redhat.com/2172267
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/src/qemu/qemu_passt.c b/src/qemu/qemu_passt.c
index fd0076077e..2153c0ac46 100644
--- a/src/qemu/qemu_passt.c
+++ b/src/qemu/qemu_passt.c
@@ -281,7 +281,7 @@ qemuPasstStart(virDomainObj *vm,
     if (qemuExtDeviceLogCommand(driver, vm, cmd, "passt") < 0)
         return -1;
 
-    if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, false, NULL) < 0)
+    if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, true, NULL) < 0)
         goto error;
 
     return 0;