virSecuritySELinuxRestoreImageLabelInt: Move FD image relabeling after 'migrated' check

Reorganize the code so that the 'migrated' flag isn't checked multiple
times and thus that it's more obvious what is happening when the
'migrated' flag is asserted.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>

src/security/security_selinux.c

@@ -1819,26 +1819,15 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManager *mgr,
     if (src->readonly || src->shared)
         return 0;
 
-    if (virStorageSourceIsFD(src)) {
-        if (migrated)
-            return 0;
-
-        if (!src->fdtuple ||
-            !src->fdtuple->selinuxLabel ||
-            src->fdtuple->nfds == 0)
-            return 0;
-
-        ignore_value(virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0],
-                                                   src->fdtuple->selinuxLabel));
-        return 0;
-    }
-
     /* If we have a shared FS and are doing migration, we must not change
      * ownership, because that kills access on the destination host which is
      * sub-optimal for the guest VM's I/O attempts :-) */
     if (migrated) {
         int rc = 1;
 
+        if (virStorageSourceIsFD(src))
+            return 0;
+
         if (virStorageSourceIsLocalStorage(src)) {
             if (!src->path)
                 return 0;
@@ -1854,6 +1843,17 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManager *mgr,
         }
     }
 
+    if (virStorageSourceIsFD(src)) {
+        if (!src->fdtuple ||
+            !src->fdtuple->selinuxLabel ||
+            src->fdtuple->nfds == 0)
+            return 0;
+
+        ignore_value(virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0],
+                                                   src->fdtuple->selinuxLabel));
+        return 0;
+    }
+
     /* This is not very clean. But so far we don't have NVMe
      * storage pool backend so that its chownCallback would be
      * called. And this place looks least offensive. */