Re: [libvirt] [PATCH v3 11/18] security_selinux: Remember old labels

On 12/12/18 7:40 AM, Michal Privoznik wrote: > Similarly to what I did in DAC driver, this also requires the > same SELinux label to be used for shared paths. If a path is > already in use by a domain (or domains) then and the domain we > are starting now wants to access the path it has to have the same > SELinux label. This might look too restrictive as the new label > can still guarantee access to already running domains but in > reality it is very unlikely and usually an admin mistake. > > Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; > --- > src/security/security_selinux.c | 177 +++++++++++++++++++++++--------- > 1 file changed, 130 insertions(+), 47 deletions(-) > [...] > + > +static int > +virSecuritySELinuxRecallLabel(const char *path, > + security_context_t *con) > +{ > + if (virSecurityGetRememberedLabel(SECURITY_SELINUX_NAME, > + path, con) < 0) > + return -1; > + > + if (!con) > + return 1; This ordering of the !con check has caused a Coverity concern that we use @con in the first call... When compared to the *_dac.c code which passes &label, I assume this should be passing &con, right?