[libvirt] [PATCH 2/6] virSecuritySELinuxSetFileconImpl: Drop @optional argument

The only thing that the @optional argument does is that it makes the function return 1 instead of 0 if setting SELinux context failed in a non-critical fashion. Drop the argument then and return 1 in that case. This enables caller to learn if SELinux context was set or not. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- src/security/security_selinux.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 0523613d4a..35385f4a23 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1261,19 +1261,23 @@ virSecuritySELinuxGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, * virSecuritySELinuxSetFileconImpl: * @path: path to the file to set context on * @tcon: target context to set - * @optional: whether to treat errors as fatal * @privileged: whether running as privileged user * * Set @tcon SELinux context on @path. If unable to do so, check SELinux * configuration and produce sensible error message suggesting solution. + * It may happen that setting context fails but hypervisor will be able to + * open the @path successfully. This is because some file systems don't + * support SELinux, are RO, or the @path had the correct context from the + * start. If that is the case, a positive one is returned. * * Returns: -1 if failed to set context and SELinux is in enforcing mode - * 1 if failed to set context and @optional is true - * 0 otherwise. + * 1 if failed to set context, + * 0 if context was set successfully. */ static int -virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon, - bool optional, bool privileged) +virSecuritySELinuxSetFileconImpl(const char *path, + const char *tcon, + bool privileged) { security_context_t econ; @@ -1289,7 +1293,7 @@ virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon, if (STREQ(tcon, econ)) { freecon(econ); /* It's alright, there's nothing to change anyway. */ - return optional ? 1 : 0; + return 1; } freecon(econ); } @@ -1326,9 +1330,9 @@ virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon, VIR_INFO("Setting security context '%s' on '%s' not supported", tcon, path); } - if (optional) - return 1; } + + return 1; } return 0; } @@ -1388,7 +1392,7 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr, } } - if (virSecuritySELinuxSetFileconImpl(path, tcon, optional, privileged) < 0) + if (virSecuritySELinuxSetFileconImpl(path, tcon, privileged) < 0) goto cleanup; ret = 0; @@ -1553,7 +1557,7 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr, } } - if (virSecuritySELinuxSetFileconImpl(newpath, fcon, false, privileged) < 0) + if (virSecuritySELinuxSetFileconImpl(newpath, fcon, privileged) < 0) goto cleanup; ret = 0; -- 2.21.0