From: Cole Robinson <crobinso@redhat.com>
Date: Tue, 11 Nov 2025 16:52:00 +0000 (-0500)
Subject: selinux: Mark anything using content_context as shared
X-Git-Tag: v11.10.0-rc1~89
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5bb1ae77ba41d1eb13cd55a8936ced639f509d8;p=thirdparty%2Flibvirt.git

selinux: Mark anything using content_context as shared

This marks kernel, initrd, dtb, and similar elements with is_shared,
meaning we skip label restore if xattr label remembering is not
enabled or supported (like on qemu:///session).

non-xattr based label restore is subject to race conditions if
multiple VMs are starting and stopping using shared media:
https://issues.redhat.com/browse/RHEL-126945

This converts every case that is using content_context (virt_content_t)
as SetFileLabel time, which is how we are marking content as
readonly. All the shareable cases (marked with file_context) are
already skipping remembering/label restore entirely.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
---

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 898f253256..2f3cc274a5 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2841,7 +2841,7 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDef *def,
         database = dev->data.cert.database;
         if (!database)
             database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
-        return virSecuritySELinuxRestoreFileLabel(mgr, database, true, false);
+        return virSecuritySELinuxRestoreFileLabel(mgr, database, true, true);
 
     case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
         return virSecuritySELinuxRestoreChardevLabel(mgr, def,
@@ -2878,7 +2878,7 @@ virSecuritySELinuxRestoreSysinfoLabel(virSecurityManager *mgr,
         virSysinfoFWCfgDef *f = &def->fw_cfgs[i];
 
         if (f->file &&
-            virSecuritySELinuxRestoreFileLabel(mgr, f->file, true, false) < 0)
+            virSecuritySELinuxRestoreFileLabel(mgr, f->file, true, true) < 0)
             return -1;
     }
 
@@ -2974,23 +2974,23 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
     }
 
     if (def->os.kernel &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, true, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, true, true) < 0)
         rc = -1;
 
     if (def->os.initrd &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, true, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, true, true) < 0)
         rc = -1;
 
     if (def->os.shim &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.shim, true, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.shim, true, true) < 0)
         rc = -1;
 
     if (def->os.dtb &&
-        virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, true, false) < 0)
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, true, true) < 0)
         rc = -1;
 
     for (i = 0; i < def->os.nacpiTables; i++) {
-        if (virSecuritySELinuxRestoreFileLabel(mgr, def->os.acpiTables[i]->path, true, false) < 0)
+        if (virSecuritySELinuxRestoreFileLabel(mgr, def->os.acpiTables[i]->path, true, true) < 0)
             rc = -1;
     }