Set proper selinux label on image file during qemu domain restore

Also restore the label to its original value after qemu is finished
with the file.

Prior to this patch, qemu domain restore did not function properly if
selinux was set to enforce.

src/qemu/qemu_driver.c

@@ -6268,7 +6268,6 @@ error:
     return -1;
 }
 
-/* TODO: check seclabel restore */
 static int ATTRIBUTE_NONNULL(6)
 qemudDomainSaveImageStartVM(virConnectPtr conn,
                             struct qemud_driver *driver,
@@ -6380,6 +6379,11 @@ qemudDomainSaveImageStartVM(virConnectPtr conn,
     ret = 0;
 
 out:
+    if (driver->securityDriver &&
+        driver->securityDriver->domainRestoreSavedStateLabel &&
+        driver->securityDriver->domainRestoreSavedStateLabel(vm, path) == -1)
+        VIR_WARN("failed to restore save state label on %s", path);
+
     return ret;
 }
 

src/security/security_selinux.c

@@ -972,7 +972,7 @@ SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
 
 
 static int
-SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path ATTRIBUTE_UNUSED)
+SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path)
 {
     const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
     int i;
@@ -1009,6 +1009,10 @@ SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path ATTRIBUTE_
         SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
         return -1;
 
+    if (stdin_path &&
+        SELinuxSetFilecon(stdin_path, default_content_context) < 0)
+        return -1;
+
     return 0;
 }