https://issues.redhat.com/browse/RHEL-126945
selinux label set/restore has race conditions on qemu:///session, where the xattr label remembering path is not used. See the above issue for a more detailed description of the problem. This series dodges the issue by skipping the fallback label restore for readonly resources like kernel and initrd, basically anything that would get the virt_content_t label. Note, disks already skip _all_ attempts to remember or restore selinux labels if the disk is marked readonly or shareable, and has done so for a long time. Maybe we should extend that out for anything that is inherently readonly or shareable, like kernel + initrd. But for now I stuck with the more conservative approach. And finally, this doesn't actually fix the race condition. If label remembering is working, the refcounting covers us. But if you disable label remembering at the qemu.conf level, there's likely similar issues in the DAC driver even for qemu:///system. I did not look into fixing the race but I suspect it involves keeping the security driver locked until the VM fully boots up. First two patches are not strictly related, but I noticed them while I was in the area Patch 3 adds the plumbing but no behavior change Patch 4 changes behavior Cole Robinson (4): selinux: Match remember/recall arguments for SavedStateLabel selinux: Don't remember labels for shareable SCSI devices selinux: Add is_shared plumbing to RestoreFileLabel selinux: Mark anything using content_context as shared src/security/security_selinux.c | 107 +++++++++++++++++++------------- 1 file changed, 63 insertions(+), 44 deletions(-) -- 2.51.1
