If the connection to the sanlock daemon is forbidden by selinux the error message was not clear enough. This patch adds a check if proper configuration for selinux is used while trying to connect to sanlock. *src/locking/lock_driver_sanlock.c: - add macro virLockSystemError that checks for selinux and reports an improved error message - modify calls of virReportSystemError to the new macro in apropriate places Background: https://bugzilla.redhat.com/show_bug.cgi?id=770488 --- src/locking/lock_driver_sanlock.c | 83 +++++++++++++++++++++++-------------- 1 files changed, 52 insertions(+), 31 deletions(-) diff --git a/src/locking/lock_driver_sanlock.c b/src/locking/lock_driver_sanlock.c index d344d6a..d5634f9 100644 --- a/src/locking/lock_driver_sanlock.c +++ b/src/locking/lock_driver_sanlock.c @@ -35,6 +35,10 @@ #include <sanlock_resource.h> #include <sanlock_admin.h> +#if HAVE_SELINUX +# include <selinux/selinux.h> +#endif + #include "lock_driver.h" #include "logging.h" #include "virterror_internal.h" @@ -51,7 +55,23 @@ #define virLockError(code, ...) \ virReportErrorHelper(VIR_FROM_THIS, code, __FILE__, \ __FUNCTION__, __LINE__, __VA_ARGS__) - +#if HAVE_SELINUX +# define virLockSystemError(theerrno, format, ...) \ + do { \ + if ((theerrno)==EACCES && \ + security_get_boolean_active("virt_use_sanlock") == 0) { \ + char errbuff[1024]; \ + snprintf(errbuff, sizeof(errbuff), "%s %s", (format), \ + _("(Consider setting virt_use_sanlock selinux variable)"));\ + virReportSystemError((theerrno), errbuff, __VA_ARGS__); \ + } else { \ + virReportSystemError((theerrno), (format), __VA_ARGS__); \ + } \ + } while(0); +#else +# define virLockSystemError(...) \ + virReportSystemError(__VA_ARGS__); +#endif #define VIR_LOCK_MANAGER_SANLOCK_AUTO_DISK_LOCKSPACE "__LIBVIRT__DISKS__" @@ -186,9 +206,9 @@ static int virLockManagerSanlockSetupLockspace(void) _("Unable to query sector size %s: error %d"), path, rv); else - virReportSystemError(-rv, - _("Unable to query sector size %s"), - path); + virLockSystemError(-rv, + _("Unable to query sector size %s"), + path); goto error_unlink; } @@ -215,9 +235,9 @@ static int virLockManagerSanlockSetupLockspace(void) _("Unable to initialize lockspace %s: error %d"), path, rv); else - virReportSystemError(-rv, - _("Unable to initialize lockspace %s"), - path); + virLockSystemError(-rv, + _("Unable to initialize lockspace %s"), + path); goto error_unlink; } VIR_DEBUG("Lockspace %s has been initialized", path); @@ -236,9 +256,9 @@ static int virLockManagerSanlockSetupLockspace(void) _("Unable to add lockspace %s: error %d"), path, rv); else - virReportSystemError(-rv, - _("Unable to add lockspace %s"), - path); + virLockSystemError(-rv, + _("Unable to add lockspace %s"), + path); goto error_unlink; } else { VIR_DEBUG("Lockspace %s is already registered", path); @@ -559,9 +579,9 @@ static int virLockManagerSanlockCreateLease(struct sanlk_resource *res) _("Unable to query sector size %s: error %d"), res->disks[0].path, rv); else - virReportSystemError(-rv, - _("Unable to query sector size %s"), - res->disks[0].path); + virLockSystemError(-rv, + _("Unable to query sector size %s"), + res->disks[0].path); goto error_unlink; } @@ -588,9 +608,9 @@ static int virLockManagerSanlockCreateLease(struct sanlk_resource *res) _("Unable to initialize lease %s: error %d"), res->disks[0].path, rv); else - virReportSystemError(-rv, - _("Unable to initialize lease %s"), - res->disks[0].path); + virLockSystemError(-rv, + _("Unable to initialize lease %s"), + res->disks[0].path); goto error_unlink; } VIR_DEBUG("Lease %s has been initialized", res->disks[0].path); @@ -711,9 +731,9 @@ static int virLockManagerSanlockAcquire(virLockManagerPtr lock, _("Unable to parse lock state %s: error %d"), state, rv); else - virReportSystemError(-rv, - _("Unable to parse lock state %s"), - state); + virLockSystemError(-rv, + _("Unable to parse lock state %s"), + state); goto error; } res_free = true; @@ -736,8 +756,9 @@ static int virLockManagerSanlockAcquire(virLockManagerPtr lock, _("Failed to open socket to sanlock daemon: error %d"), sock); else - virReportSystemError(-sock, "%s", - _("Failed to open socket to sanlock daemon")); + virLockSystemError(-sock, "%s", + _("Failed to open socket to sanlock daemon")); + goto error; } @@ -750,8 +771,8 @@ static int virLockManagerSanlockAcquire(virLockManagerPtr lock, virLockError(VIR_ERR_INTERNAL_ERROR, _("Failed to acquire lock: error %d"), rv); else - virReportSystemError(-rv, "%s", - _("Failed to acquire lock")); + virLockSystemError(-rv, "%s", + _("Failed to acquire lock")); goto error; } } @@ -774,8 +795,8 @@ static int virLockManagerSanlockAcquire(virLockManagerPtr lock, virLockError(VIR_ERR_INTERNAL_ERROR, _("Failed to restrict process: error %d"), rv); else - virReportSystemError(-rv, "%s", - _("Failed to restrict process")); + virLockSystemError(-rv, "%s", + _("Failed to restrict process")); goto error; } } @@ -823,8 +844,8 @@ static int virLockManagerSanlockRelease(virLockManagerPtr lock, virLockError(VIR_ERR_INTERNAL_ERROR, _("Failed to inquire lock: error %d"), rv); else - virReportSystemError(-rv, "%s", - _("Failed to inquire lock")); + virLockSystemError(-rv, "%s", + _("Failed to inquire lock")); return -1; } @@ -837,8 +858,8 @@ static int virLockManagerSanlockRelease(virLockManagerPtr lock, virLockError(VIR_ERR_INTERNAL_ERROR, _("Failed to release lock: error %d"), rv); else - virReportSystemError(-rv, "%s", - _("Failed to release lock")); + virLockSystemError(-rv, "%s", + _("Failed to release lock")); return -1; } @@ -866,8 +887,8 @@ static int virLockManagerSanlockInquire(virLockManagerPtr lock, virLockError(VIR_ERR_INTERNAL_ERROR, _("Failed to inquire lock: error %d"), rv); else - virReportSystemError(-rv, "%s", - _("Failed to inquire lock")); + virLockSystemError(-rv, "%s", + _("Failed to inquire lock")); return -1; } -- 1.7.3.4