On 07/15/2015 09:02 AM, Michal Privoznik wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1124841
When the daemon is running under unprivileged user, that is under qemu:///session, there are plenty of operations we can't do. What we can do is to go with best effort. One of such cases is relabeling domain resources (be it disks, sockets, regular files, etc.) during domain startup process. While we may successfully set DAC labels, we can be fairly certain that any attempt to change SELinux labels will fail. Therefore we should tolerate relabelling errors and just let qemu to try access the resources. If it fails, our error reporting system is strong enough to articulate the exact error to the user anyway.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/qemu/qemu_process.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 1c0c734..58ed631 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -4856,8 +4856,13 @@ int qemuProcessStart(virConnectPtr conn,
VIR_DEBUG("Setting domain security labels"); if (virSecurityManagerSetAllLabel(driver->securityManager, - vm->def, stdin_path) < 0) - goto cleanup; + vm->def, stdin_path) < 0) { + /* Be tolerant to relabel errors if we are running unprivileged. */ + if (virQEMUDriverIsPrivileged(driver)) + goto cleanup; + else + VIR_DEBUG("Ignoring relabel errors for unprivileged daemon");
How about just if (cond) goto VIR_DEBUG(or WARN) virResetLastError() Otherwise, seems reasonable in principal, so ACK John
+ }
/* Security manager labeled all devices, therefore * if any operation from now on fails and we goto cleanup,