security: selinux: Label externalDataStore

We mirror the labeling strategy that was used for its top image
Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NCole Robinson <crobinso@redhat.com>

src/security/security_selinux.c

@@ -1846,7 +1846,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
     virSecurityDeviceLabelDefPtr parent_seclabel = NULL;
     char *use_label = NULL;
     bool remember;
-    bool is_toplevel = parent == src;
+    bool is_toplevel = parent == src || parent->externalDataStore == src;
     int ret;
 
     if (!src->path || !virStorageSourceIsLocalStorage(src))
@@ -1933,6 +1933,14 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityManagerPtr mgr,
         if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent) < 0)
             return -1;
 
+        if (n->externalDataStore &&
+            virSecuritySELinuxSetImageLabelRelative(mgr,
+                                                    def,
+                                                    n->externalDataStore,
+                                                    parent,
+                                                    flags) < 0)
+            return -1;
+
         if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
             break;
     }