On Wed, Oct 02, 2024 at 17:41:45 +0200, Andrea Bolognani wrote:
In the case of outgoing migration, we avoid restoring the remembered labels for the TPM state directory because doing so would risk cutting off storage access for the target node.
Even in that case though, we should still forget (unref) the remembered labels: if we don't, the source node will keep thinking that the state directory is in use.
Note that this change only affects the SELinux driver because the DAC driver doesn't currently implement label remembering for TPM state at all.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- src/security/security_selinux.c | 49 +++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+)
Reviewed-by: Peter Krempa <pkrempa@redhat.com>