On 1/13/26 15:17, Peter Krempa via Devel wrote:
From: Peter Krempa <pkrempa@redhat.com>
The concept of moving a seclabel is used e.g. when a new image is introduced to the backing chain (or one of the existing ones becomes active during block commit). What it does is that it moves the metedata remembering the original seclabel to the new image.
That idea works reasonably well if both the original and new image are of same type e.g. a file, where they have comparable seclabel.
It breaks down though when you e.g. create a snapshot stored in a 'file' on top of a disk originally backed by a 'block' storage source, since the seclabels differ quite siginificantly.
This patch restricts the seclabel move in qemuSecurityMoveImageMetadata to happen only if the storage sources are of same type to avoid the issue. This means that the seclabels will not be remebered and will be restored to the default but it's better than to transfer wrong labels.
Resolves: https://issues.redhat.com/browse/RHEL-114412
Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- src/qemu/qemu_security.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal