On 11/11/25 18:39, Cole Robinson via Devel wrote: > https://issues.redhat.com/browse/RHEL-126945 > > selinux label set/restore has race conditions on qemu:///session, > where the xattr label remembering path is not used. See the above issue > for a more detailed description of the problem. > > This series dodges the issue by skipping the fallback label > restore for readonly resources like kernel and initrd, basically > anything that would get the virt_content_t label. > > > Note, disks already skip _all_ attempts to remember or restore > selinux labels if the disk is marked readonly or shareable, and has > done so for a long time. Maybe we should extend that out for anything > that is inherently readonly or shareable, like kernel + initrd. > But for now I stuck with the more conservative approach. > > And finally, this doesn't actually fix the race condition. If > label remembering is working, the refcounting covers us. But if you > disable label remembering at the qemu.conf level, there's likely > similar issues in the DAC driver even for qemu:///system. I did > not look into fixing the race but I suspect it involves keeping the > security driver locked until the VM fully boots up. > > First two patches are not strictly related, but I noticed them > while I was in the area > Patch 3 adds the plumbing but no behavior change > Patch 4 changes behavior > > Cole Robinson (4): > selinux: Match remember/recall arguments for SavedStateLabel > selinux: Don't remember labels for shareable SCSI devices > selinux: Add is_shared plumbing to RestoreFileLabel > selinux: Mark anything using content_context as shared > > src/security/security_selinux.c | 107 +++++++++++++++++++------------- > 1 file changed, 63 insertions(+), 44 deletions(-) >
Reviewed-by: Michal Privoznik <[email protected]> Michal
