On 1/13/26 15:17, Peter Krempa via Devel wrote: > From: Peter Krempa <[email protected]> > > The concept of moving a seclabel is used e.g. when a new image is > introduced to the backing chain (or one of the existing ones becomes > active during block commit). What it does is that it moves the metedata > remembering the original seclabel to the new image. > > That idea works reasonably well if both the original and new image are > of same type e.g. a file, where they have comparable seclabel. > > It breaks down though when you e.g. create a snapshot stored in a 'file' > on top of a disk originally backed by a 'block' storage source, since > the seclabels differ quite siginificantly. > > This patch restricts the seclabel move in qemuSecurityMoveImageMetadata > to happen only if the storage sources are of same type to avoid the > issue. This means that the seclabels will not be remebered and will be > restored to the default but it's better than to transfer wrong labels. > > Resolves: https://issues.redhat.com/browse/RHEL-114412 > > Signed-off-by: Peter Krempa <[email protected]> > --- > src/qemu/qemu_security.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) >
Reviewed-by: Michal Privoznik <[email protected]> Michal
