[libvirt] [PATCH] Allow domain disk images on root-squash NFS to coexist with security driver.

Thursday, 1 April 2010

(suggested by Daniel Berrange, tested by Dan Kenigsberg)

virStorageFileGetMetadata will fail for disk images that are stored on
a root-squash NFS share that isn't world-readable.
SELinuxSetSecurityImageLabel is called during the startup of every
domain (as long as security_driver != "none"), and it will propogate
the error from virStorageFileGetMetadata, causing the domain startup
to fail. This is, however, a common scenario when qemu is run as a
non-root user and the disk image is stored on NFS.

Ignoring this failure (which doesn't matter in this case, since the
next thing done by SELinuxSetSecurityImageLabel - setting the file
context - will also fail (and that function already ignores failures
due to root-squash NFS) will allow us to continue bringing up the
domain. The result is that we don't need to disable the entire
security driver just because a domain's disk image is stored on
root-squashed NFS.
---
 src/security/security_selinux.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 6680e2d..3e20475 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -430,7 +430,7 @@ SELinuxSetSecurityImageLabel(virDomainObjPtr vm,
         path = NULL;
 
         if (ret < 0)
-            return -1;
+           break;
 
         if (meta.backingStore != NULL &&
             SELinuxSetFilecon(meta.backingStore,
-- 
1.6.6.1


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH] Allow domain disk images on root-squash NFS to coexist with security driver.