On Thu, Sep 08, 2011 at 06:26:05PM +0200, Michal Privoznik wrote:
If we fail setting label on a file and this file is on NFS share, it is wise to advise user to set virt_use_nfs selinux boolean variable. --- src/security/security_selinux.c | 11 ++++++++++- 1 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index ca54f9b..028f5b2 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -420,8 +420,17 @@ SELinuxSetFilecon(const char *path, char *tcon) * virt_use_{nfs,usb,pci} boolean tunables to allow it... */ if (setfilecon_errno != EOPNOTSUPP) { + const char *errmsg; + if ((virStorageFileIsSharedFSType(path, + VIR_STORAGE_FILE_SHFS_NFS) == 1) && + security_get_boolean_active("virt_use_nfs") != 1) { + errmsg = _("unable to set security context '%s' on '%s'. " + "Consider setting virt_use_nfs"); + } else { + errmsg = _("unable to set security context '%s' on '%s'"); + } virReportSystemError(setfilecon_errno, - _("unable to set security context '%s' on '%s'"), + errmsg, tcon, path); if (security_getenforce() == 1) return -1;
I like this, definitely a usability enhancement (for a specific case) ACK Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/