Fix virt-handler restart issue

selinux does not like if a fcontext is redefined. Check if we already
added our labels and skip adding the label if we did.

cmd/virt-handler/virt-handler.go

@@ -194,6 +194,11 @@ func (app *virtHandlerApp) Run() {
 	se, exists, err := selinux.NewSELinux()
 	if err == nil && exists {
 		for _, dir := range []string{app.VirtShareDir, app.VirtLibDir} {
+			if labeled, err := se.IsLabeled(dir); err != nil {
+				panic(err)
+			} else if labeled {
+				continue
+			}
 			err := se.Label("container_file_t", dir)
 			if err != nil {
 				panic(err)

pkg/virt-handler/selinux/labels.go

@@ -93,6 +93,18 @@ func (se *SELinuxImpl) Label(label string, dir string) (err error) {
 	return nil
 }
 
+func (se *SELinuxImpl) IsLabeled(dir string) (labeled bool, err error) {
+	dir = strings.TrimRight(dir, "/") + "(/.*)?"
+	out, err := se.execute("semanage", se.Paths, "fcontext", "-l")
+	if err != nil {
+		return false, fmt.Errorf("failed to list labels: %v ", string(out))
+	}
+	if strings.Contains(string(out), dir) {
+		return true, nil
+	}
+	return false, nil
+}
+
 func (se *SELinuxImpl) Restore(dir string) (err error) {
 	dir = strings.TrimRight(dir, "/") + "/"
 	out, err := se.execute("restorecon", se.Paths, "-r", "-v", dir)
@@ -104,5 +116,6 @@ func (se *SELinuxImpl) Restore(dir string) (err error) {
 
 type SELinux interface {
 	Label(dir string, label string) (err error)
+	IsLabeled(dir string) (labeled bool, err error)
 	Restore(dir string) (err error)
 }

pkg/virt-handler/selinux/labels_test.go

@@ -81,6 +81,43 @@ var _ = Describe("selinux", func() {
 		})
 	})
 
+	Context("getting the label of a directory", func() {
+
+		It("should fail if semanage does not exist", func() {
+			_, err := selinux.IsLabeled("whatever")
+			Expect(err).To(HaveOccurred())
+		})
+
+		It("should fail if semanage exists but the command fails", func() {
+			touch(filepath.Join(tempDir, "/usr/bin", "semanage"))
+			selinux.execFunc = func(binary string, args ...string) (bytes []byte, e error) {
+				return nil, fmt.Errorf("I failed")
+			}
+			_, err := selinux.IsLabeled("whatever")
+			Expect(err).To(HaveOccurred())
+		})
+
+		It("should detect if the directory is not labeled", func() {
+			touch(filepath.Join(tempDir, "/usr/bin", "semanage"))
+			selinux.execFunc = func(binary string, args ...string) (bytes []byte, e error) {
+				return []byte("not found"), nil
+			}
+			labeled, err := selinux.IsLabeled("whatever")
+			Expect(err).ToNot(HaveOccurred())
+			Expect(labeled).To(BeFalse())
+		})
+
+		It("should detect if the directory is labeled", func() {
+			touch(filepath.Join(tempDir, "/usr/bin", "semanage"))
+			selinux.execFunc = func(binary string, args ...string) (bytes []byte, e error) {
+				return []byte("whatever(/.*)?"), nil
+			}
+			labeled, err := selinux.IsLabeled("whatever")
+			Expect(err).ToNot(HaveOccurred())
+			Expect(labeled).To(BeTrue())
+		})
+	})
+
 	Context("restoring labels on a directory", func() {
 
 		It("should fail if restorecon does not exist", func() {