From accd96c210d9c45ec9bae0d9259cf713eb574d52 Mon Sep 17 00:00:00 2001

Message-Id: <accd96c210d9c45ec9bae0d9259cf713eb574d52@dist-git>

From: Laine Stump <laine@redhat.com>

Date: Wed, 1 Mar 2023 15:58:24 -0500

Subject: [PATCH] qemu: set SELinux label of passt process to its own binary's

 label

set useBinarySpecificLabel = true when calling qemuSecurityCommandRun

for the passt process, so that the new process context will include

the binary-specific label that should be used for passt (passt_t)

rather than svirt_t (as would happen if useBinarySpecificLabel was

false). (The MCS part of the label, which is common to all child

processes related to a particular qemu domain instance, is also set).

Resolves: https://bugzilla.redhat.com/2172267

Signed-off-by: Laine Stump <laine@redhat.com>

Reviewed-by: Andrea Bolognani <abologna@redhat.com>

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

(cherry picked from commit 8419dd3b69cfada783a2e6df315e45dd294b0d18)

Conflicts:

	src/qemu/qemu_passt.c

 Another conflict caused by upstream-only change to arglist of

 qemuSecurityCommandRun().

https://bugzilla.redhat.com/2172267

Signed-off-by: Laine Stump <laine@redhat.com>

---

 src/qemu/qemu_passt.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/qemu/qemu_passt.c b/src/qemu/qemu_passt.c

index ed7b518212..ecf1c8cb6c 100644

--- a/src/qemu/qemu_passt.c

+++ b/src/qemu/qemu_passt.c

@@ -285,7 +285,7 @@ qemuPasstStart(virDomainObj *vm,

     if (qemuExtDeviceLogCommand(driver, vm, cmd, "passt") < 0)

         return -1;

-    if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, false,

+    if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, true,

                                &exitstatus, &cmdret) < 0) {

         goto error;

     }

-- 

2.40.0