All the necessary explanation is in Path 3/4 We may want to turn on this same behavior for some other external processes, but right now the one we need it for is passt. Resolves: https://bugzilla.redhat.com/2172267 Laine Stump (4): util: add an API to retrieve the resolved path to a virCommand's binary security: make args to virSecuritySELinuxContextAddRange() const security: make it possible to set SELinux label of child process from its binary qemu: set SELinux label of passt process to its own binary's label src/libvirt_private.syms | 1 + src/qemu/qemu_dbus.c | 2 +- src/qemu/qemu_passt.c | 2 +- src/qemu/qemu_process.c | 2 +- src/qemu/qemu_security.c | 5 ++- src/qemu/qemu_security.h | 1 + src/qemu/qemu_slirp.c | 2 +- src/qemu/qemu_tpm.c | 3 +- src/qemu/qemu_vhost_user_gpu.c | 2 +- src/security/security_apparmor.c | 1 + src/security/security_dac.c | 1 + src/security/security_driver.h | 1 + src/security/security_manager.c | 8 +++- src/security/security_manager.h | 1 + src/security/security_nop.c | 1 + src/security/security_selinux.c | 77 ++++++++++++++++++++++++++++++-- src/security/security_stack.c | 5 ++- src/util/vircommand.c | 51 ++++++++++++++++----- src/util/vircommand.h | 1 + 19 files changed, 143 insertions(+), 24 deletions(-) -- 2.39.2