From 8fcc6c802575cd37d4cbcfac93615eea9b89d55b Mon Sep 17 00:00:00 2001
From: Nikolai Barybin <nikolai.barybin@virtuozzo.com>
Date: Wed, 20 Nov 2024 18:48:44 +0300
Subject: [PATCH] security: selinux: handle qcow2 data-file on image label
 set/restore

Signed-off-by: Nikolai Barybin <nikolai.barybin@virtuozzo.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
---
 src/security/security_selinux.c | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 18daa521d1..cdc32d9b34 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1934,8 +1934,16 @@ virSecuritySELinuxRestoreImageLabel(virSecurityManager *mgr,
                                     virStorageSource *src,
                                     virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
 {
-    return virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
-                                                  def, src, false);
+    if (virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+                                               def, src, false) < 0)
+        return -1;
+
+    if (src->dataFileStore &&
+        virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+                                               def, src->dataFileStore, false) < 0)
+        return -1;
+
+    return 0;
 }
 
 
@@ -1997,7 +2005,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr,
             return 0;
 
         use_label = parent_seclabel->label;
-    } else if (parent == src) {
+    } else if (parent == src || parent->dataFileStore == src) {
         if (src->shared) {
             use_label = data->file_context;
         } else if (src->readonly) {
@@ -2067,6 +2075,14 @@ virSecuritySELinuxSetImageLabel(virSecurityManager *mgr,
                                                     isChainTop) < 0)
             return -1;
 
+        /* Unlike backing images, data files are not designed to be shared by
+         * anyone. Thus, we always consider them as chain top. */
+        if (n->dataFileStore &&
+            virSecuritySELinuxSetImageLabelInternal(mgr, sharedFilesystems,
+                                                    def, n->dataFileStore, parent,
+                                                    true) < 0)
+            return -1;
+
         if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
             break;
 
@@ -2929,6 +2945,13 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
                                                    def, disk->src,
                                                    migrated) < 0)
             rc = -1;
+
+        if (disk->src->dataFileStore &&
+            virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+                                                   def, disk->src->dataFileStore,
+                                                   migrated) < 0)
+            rc = -1;
+
     }
 
     for (i = 0; i < def->nhostdevs; i++) {
-- 
2.47.2