Re: [libvirt] [PATCH] selinux: Detect virt_use_nfs boolean set

Friday, 9 September 2011


On Thu, Sep 08, 2011 at 06:26:05PM +0200, Michal Privoznik wrote:
...
 If we fail setting label on a file and this file is on NFS share,
 it is wise to advise user to set virt_use_nfs selinux boolean
 variable.
 ---
  src/security/security_selinux.c |   11 ++++++++++-
  1 files changed, 10 insertions(+), 1 deletions(-)
 
 diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
 index ca54f9b..028f5b2 100644
 --- a/src/security/security_selinux.c
 +++ b/src/security/security_selinux.c
 @@ -420,8 +420,17 @@ SELinuxSetFilecon(const char *path, char *tcon)
           * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
           */
          if (setfilecon_errno != EOPNOTSUPP) {
 +            const char *errmsg;
 +            if ((virStorageFileIsSharedFSType(path,
 +                                             VIR_STORAGE_FILE_SHFS_NFS) == 1)
&&
 +                security_get_boolean_active("virt_use_nfs") != 1) {
 +                errmsg = _("unable to set security context '%s' on
'%s'. "
 +                           "Consider setting virt_use_nfs");
 +            } else {
 +                errmsg = _("unable to set security context '%s' on
'%s'");
 +            }
              virReportSystemError(setfilecon_errno,
 -                                 _("unable to set security context '%s' on
'%s'"),
 +                                 errmsg,
                                   tcon, path);
              if (security_getenforce() == 1)
                  return -1; 
  I like this, definitely a usability enhancement (for a specific case)

  ACK

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel(a)veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] [PATCH] selinux: Detect virt_use_nfs boolean set