From: Cole Robinson <crobinso@redhat.com>
Date: Tue, 11 Nov 2025 16:50:06 +0000 (-0500)
Subject: selinux: Don't remember labels for shareable SCSI devices
X-Git-Tag: v11.10.0-rc1~91
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f4903ebcf7eec5df3261d6267a027735723329e9;p=thirdparty%2Flibvirt.git

selinux: Don't remember labels for shareable SCSI devices

For shareable/readonly devices, label restore is skipped entirely in
virSecuritySELinuxRestoreSCSILabel. So requesting remember=true here
doesn't accomplish anything

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
---

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 19e550460c..3a91ea46d3 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2171,10 +2171,10 @@ virSecuritySELinuxSetSCSILabel(virSCSIDevice *dev,
 
     if (virSCSIDeviceGetShareable(dev))
         return virSecuritySELinuxSetFilecon(mgr, file,
-                                            data->file_context, true);
+                                            data->file_context, false);
     else if (virSCSIDeviceGetReadonly(dev))
         return virSecuritySELinuxSetFilecon(mgr, file,
-                                            data->content_context, true);
+                                            data->content_context, false);
     else
         return virSecuritySELinuxSetFilecon(mgr, file,
                                             secdef->imagelabel, true);