[PATCH 1/2] selinux: Swap two blocks handling setfilecon_raw() failure

Monday, 20 September 2021

In virSecuritySELinuxSetFileconImpl() we have code that handles
setfilecon_raw() failure. The code consists of two blocks: one
for dealing with shared filesystem like NFS (errno is ENOTSUP or
EROFS) and the other block that's dealing with EPERM for
privileged daemon. Well, the order of these two blocks is a bit
confusing because the comment above them mentions the NFS case
but EPERM block follows. Swap these two blocks to make it less
confusing.

Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt;
---
 src/security/security_selinux.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 0e5ea0366d..050acee2b0 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1264,22 +1264,9 @@ virSecuritySELinuxSetFileconImpl(const char *path,
          * boolean tunables to allow it ...
          */
         VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR
-        if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP
&&
-            setfilecon_errno != EROFS) {
+        if (setfilecon_errno == EOPNOTSUPP || setfilecon_errno == ENOTSUP ||
+            setfilecon_errno == EROFS) {
         VIR_WARNINGS_RESET
-            /* However, don't claim error if SELinux is in Enforcing mode and
-             * we are running as unprivileged user and we really did see EPERM.
-             * Otherwise we want to return error if SELinux is Enforcing. */
-            if (security_getenforce() == 1 &&
-                (setfilecon_errno != EPERM || privileged)) {
-                virReportSystemError(setfilecon_errno,
-                                     _("unable to set security context '%s'
on '%s'"),
-                                     tcon, path);
-                return -1;
-            }
-            VIR_WARN("unable to set security context '%s' on '%s'
(errno %d)",
-                     tcon, path, setfilecon_errno);
-        } else {
             const char *msg;
             if (virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS) == 1 &&
                 security_get_boolean_active("virt_use_nfs") != 1) {
@@ -1293,6 +1280,19 @@ virSecuritySELinuxSetFileconImpl(const char *path,
                 VIR_INFO("Setting security context '%s' on '%s' not
supported",
                          tcon, path);
             }
+        } else {
+            /* However, don't claim error if SELinux is in Enforcing mode and
+             * we are running as unprivileged user and we really did see EPERM.
+             * Otherwise we want to return error if SELinux is Enforcing. */
+            if (security_getenforce() == 1 &&
+                (setfilecon_errno != EPERM || privileged)) {
+                virReportSystemError(setfilecon_errno,
+                                     _("unable to set security context '%s'
on '%s'"),
+                                     tcon, path);
+                return -1;
+            }
+            VIR_WARN("unable to set security context '%s' on '%s'
(errno %d)",
+                     tcon, path, setfilecon_errno);
         }
 
         return 1;
-- 
2.32.0


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[PATCH 1/2] selinux: Swap two blocks handling setfilecon_raw() failure