Re: [PATCH v2] selinux label: restore all labels when some labels fail to set

On 2020/11/13 22:33, Michal Privoznik wrote: I think we can reproduce it in a more easier way, that is, starting a VM whose XML is configured with a pipe file that does not exist on local host: <serial type='pipe'>       <source path='/tmp/serial.pipe'/>       <target port='0'/>     </serial> 1. Though '/tmp/serial.pipe' does not exist, this secdriver (if I'm not mistaken about this concept) set SELinux-label return success, and the marked items (eg. XXX.fd, XXX.iso) will not be rollback. [call trace]: virSecuritySELinuxTransactionRun -- return 0 virSecuritySELinuxSetFilecon -- return 0 virSecuritySELinuxSetFileconImpl -- return 1, warned unable to ... 2. The next secdriver about setting DAC-label run in virSecurityDACTransactionRun() return false because above file does not exist. virSecurityManagerTransactionCommit() return false, but where is the rollback performed for other secdrivers (here means setting SELinux-label in 1) ? I don't quite understand the second point you mentioned in your last reply: --- 2) rollback for other secdrivers after one failed is handled in virSecurityStackSetAllLabel(). --- In addition, is there any wrong in virSecuritySELinuxTransactionRun return success while '/tmp/serial.pipe' does not exist? Yan