From e209e14f4c6a59673b6ab3bf9a33f1ce25edaadf Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Wed, 5 Nov 2025 08:35:17 -0500
Subject: [PATCH] tests: test-nbd.pl: label unix socket svirt_image_t

Part of this test uses `qemu-nbd -k SOCKPATH`, and passes
that socket to libvirt. SOCKPATH will have label user_home_t,
which svirt_t can't access, so running with selinux enforcing this
test will always fail.

Manually change the socket label to svirt_image_t which makes
selinux happy.

Note: libvirt does not relabel most (all?) externally managed socket
paths. I think this is correct, since in theory this could be a
socket shared with other processes, so its up to the user to ensure
DAC/MAC permissions are acceptable for their usecase.

Signed-off-by: Cole Robinson <crobinso@redhat.com>
---
 tests/nbd/test-nbd.pl | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/tests/nbd/test-nbd.pl b/tests/nbd/test-nbd.pl
index 9eaa0c41d..4d0925bc2 100755
--- a/tests/nbd/test-nbd.pl
+++ b/tests/nbd/test-nbd.pl
@@ -51,6 +51,7 @@ sub run_test {
 
     my $cwd = getcwd ();
     my $server;
+    my $socket;
     my $pidfile = "$cwd/nbd/nbd.pid";
     unlink "$pidfile";
     my @qemu_nbd = ("qemu-nbd", $disk, "-t", "--pid-file", $pidfile);
@@ -65,7 +66,7 @@ sub run_test {
     }
     else {
         # qemu-nbd insists the socket path is absolute.
-        my $socket = "$cwd/nbd/unix.sock";
+        $socket = "$cwd/nbd/unix.sock";
         unlink "$socket";
         push @qemu_nbd, "-k", "$socket";
         $server = "unix:$socket";
@@ -86,6 +87,13 @@ sub run_test {
     }
     die "qemu-nbd did not start up\n" if ! -f $pidfile;
 
+    # libvirt does not set selinux label on passed in server sockets.
+    # Try relabelling here but don't require it to succeed, maybe
+    # selinux is disabled etc.
+    if ($socket) {
+        system ("chcon -vt svirt_image_t $socket");
+    }
+
     my $g = Sys::Guestfs->new ();
 
     # Add an NBD drive.