Re: [libvirt] [PATCH] selinux: Detect virt_use_nfs boolean set

On Thu, Sep 08, 2011 at 06:26:05PM +0200, Michal Privoznik wrote: > If we fail setting label on a file and this file is on NFS share, > it is wise to advise user to set virt_use_nfs selinux boolean > variable. > --- > src/security/security_selinux.c | 11 ++++++++++- > 1 files changed, 10 insertions(+), 1 deletions(-) > > diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c > index ca54f9b..028f5b2 100644 > --- a/src/security/security_selinux.c > +++ b/src/security/security_selinux.c > @@ -420,8 +420,17 @@ SELinuxSetFilecon(const char *path, char *tcon) > * virt_use_{nfs,usb,pci} boolean tunables to allow it... > */ > if (setfilecon_errno != EOPNOTSUPP) { > + const char *errmsg; > + if ((virStorageFileIsSharedFSType(path, > + VIR_STORAGE_FILE_SHFS_NFS) == 1) && > + security_get_boolean_active("virt_use_nfs") != 1) { > + errmsg = _("unable to set security context '%s' on '%s'. " > + "Consider setting virt_use_nfs"); > + } else { > + errmsg = _("unable to set security context '%s' on '%s'"); > + } > virReportSystemError(setfilecon_errno, > - _("unable to set security context '%s' on '%s'"), > + errmsg, > tcon, path); > if (security_getenforce() == 1) > return -1; I like this, definitely a usability enhancement (for a specific case) ACK Daniel