Re: [libvirt] [PATCH] selinux: distinguish failure to label from request to avoid label

On Mon, Aug 12, 2013 at 10:19:47PM -0600, Eric Blake wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=924153 > > Commit 904e05a2 (v0.9.9) added a per-<disk> seclabel element with > an attribute relabel='no' in order to try and minimize the > impact of shutdown delays when an NFS server disappears. The idea > was that if a disk is on NFS and can't be labeled in the first > place, there is no need to attempt the (no-op) relabel on domain > shutdown. Unfortunately, the way this was implemented was by > modifying the domain XML so that the optimization would survive > libvirtd restart, but in a way that is indistinguishable from an > explicit user setting. Furthermore, once the setting is turned > on, libvirt avoids attempts at labeling, even for operations like > snapshot or blockcopy where the chain is being extended or pivoted > onto non-NFS, where SELinux labeling is once again possible. As > a result, it was impossible to do a blockcopy to pivot from an > NFS image file onto a local file. >

The changes look reasonable, but I'd be alot happier if the securityselinuxlabeltest.c was covering this scenario. We already have that test using an LD_PRELOAD hack to mock the selinux APIs. It ought to be possible to extend it to return the same errno conditions you'd see on NFS, when given certain filenames, to allow this code to be validated.