On 03/20/2014 11:27 AM, Michal Privoznik wrote:
On 18.03.2014 18:02, Scott Sullivan wrote:
> Per the documentation, is_selinux_enabled() returns -1 on error. Account
> for this. Previously when -1 was being returned the condition would
> still be true. I was noticing this because on my system that has selinux
> disabled I was getting this in the libvirt.log every 5 seconds:
>
> error : virIdentityGetSystem:173 : Unable to lookup SELinux process
> context: Invalid argument
>
> With this patch applied, I no longer get these messages every 5 seconds.
> I am submitting this in case its deemed useful for inclusion. Anyone
> have any comments on this change? This is a patch off current master.
>
>
> From 23e0780db43ebd3ea90710750639df901c261674 Mon Sep 17 00:00:00 2001
> From: Scott Sullivan <ssullivan(a)liquidweb.com>
> Date: Tue, 18 Mar 2014 12:55:50 -0400
> Subject: [PATCH] is_selinux_enabled returns -1 on error, account for
> this.
>
> ---
> src/security/security_selinux.c | 2 +-
> src/util/viridentity.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/security/security_selinux.c
> b/src/security/security_selinux.c
> index 02c7496..5f46bef 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -784,7 +784,7 @@ error:
> static int
> virSecuritySELinuxSecurityDriverProbe(const char *virtDriver)
> {
> - if (!is_selinux_enabled())
> + if (is_selinux_enabled() <= 0)
> return SECURITY_DRIVER_DISABLE;
>
> if (virtDriver && STREQ(virtDriver, "LXC")) {
> diff --git a/src/util/viridentity.c b/src/util/viridentity.c
> index 351fdd7..05e7568 100644
> --- a/src/util/viridentity.c
> +++ b/src/util/viridentity.c
> @@ -169,7 +169,7 @@ virIdentityPtr virIdentityGetSystem(void)
> goto cleanup;
>
> #if WITH_SELINUX
> - if (is_selinux_enabled()) {
> + if (is_selinux_enabled() > 0) {
> if (getcon(&con) < 0) {
> virReportSystemError(errno, "%s",
> _("Unable to lookup SELinux process
> context"));
ACK, although I had some difficulties with applying this patch. I'd
strongly recommend using 'git send-email' next time as it makes sure
patch will apply cleanly.
Michal
Thanks Michal, i'll be sure to do so.