From cc16fa2a85d038caa8a9327ed6c36630ed133aec Mon Sep 17 00:00:00 2001
From: Peter Krempa <pkrempa@redhat.com>
Date: Tue, 17 Oct 2017 08:03:42 +0200
Subject: [PATCH] security: selinux: Take parent security label into account

Until now we ignored user-provided backing chains and while detecting
the code inherited labels of the parent device. With user provided
chains we should keep this functionality, so label of the parent image
in the backing chain will be applied if an image-specific label is not
present.
---
 src/security/security_selinux.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 66b3bbf1c5..ed1828a12f 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1597,6 +1597,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
     virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
     virSecurityLabelDefPtr secdef;
     virSecurityDeviceLabelDefPtr disk_seclabel;
+    virSecurityDeviceLabelDefPtr parent_seclabel = NULL;
     int ret;
 
     if (!src->path || !virStorageSourceIsLocalStorage(src))
@@ -1608,12 +1609,20 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
 
     disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
                                                         SECURITY_SELINUX_NAME);
+    if (parent)
+        parent_seclabel = virStorageSourceGetSecurityLabelDef(parent,
+                                                              SECURITY_SELINUX_NAME);
 
-    if (disk_seclabel && !disk_seclabel->relabel)
-        return 0;
+    if (disk_seclabel && (!disk_seclabel->relabel || disk_seclabel->label)) {
+        if (!disk_seclabel->relabel)
+            return 0;
 
-    if (disk_seclabel && disk_seclabel->relabel && disk_seclabel->label) {
         ret = virSecuritySELinuxSetFilecon(mgr, src->path, disk_seclabel->label);
+    } else if (parent_seclabel && (!parent_seclabel->relabel || parent_seclabel->label)) {
+        if (!parent_seclabel->relabel)
+            return 0;
+
+        ret = virSecuritySELinuxSetFilecon(mgr, src->path, parent_seclabel->label);
     } else if (!parent || parent == src) {
         if (src->shared) {
             ret = virSecuritySELinuxSetFileconOptional(mgr,